My servers have been subjected to extra ssh traffic in the last few days:
Nov 16 13:25:14 gc-blog sshd[6625]: Illegal user admin from ::ffff:[IPaddress]
Nov 16 13:25:16 gc-blog sshd[6628]: Illegal user test from ::ffff:[IPaddress]
Nov 16 13:25:19 gc-blog sshd[6631]: Illegal user guest from ::ffff:[IPaddress]
Nov 16 13:25:26 gc-blog sshd[6637]: Illegal user webmaster from ::ffff:[IPaddress]
Nov 16 13:25:36 gc-blog sshd[6645]: Illegal user oracle from ::ffff:[IPaddress]
Nov 16 13:25:38 gc-blog sshd[6647]: Illegal user library from ::ffff:[IPaddress]
Nov 16 13:25:41 gc-blog sshd[6650]: Illegal user info from ::ffff:[IPaddress]
Nov 16 13:25:43 gc-blog sshd[6653]: Illegal user shell from ::ffff:[IPaddress]
Nov 16 13:25:50 gc-blog sshd[6658]: Illegal user linux from ::ffff:[IPaddress]
Nov 16 13:25:53 gc-blog sshd[6661]: Illegal user unix from ::ffff:[IPaddress]
Nov 16 13:25:55 gc-blog sshd[6664]: Illegal user webadmin from ::ffff:[IPaddress]
Nov 16 13:26:05 gc-blog sshd[6672]: Illegal user test from ::ffff:[IPaddress]
Nov 16 13:26:09 gc-blog sshd[6678]: Illegal user admin from ::ffff:[IPaddress]
SANS also had a post – http://isc.sans.org/diary.php?storyid=846
I’m keeping an eye on behaviour – I think my sshd are configured reasonably well.
More likely a variant of this:
http://blog2.myu-k.co.jp/monar/img/brutessh.txt
than a DDOS on you.
I’ve seen tons of attacks like this on my home iMac. I just configured myself as the only allowed user and made sure my password was reasonably secure.
I’ve had a few customers hit by this, it appears to be a 100% bot/script attack. The script finds a working user password, then deposits a small remote kit on the user account that makes the user join an IRC-based botnet. The botnet then spams and DDOS’ using that account.
Nasty stuff, but not a rootkit, unless they get the root password, of course. 🙂
I get this all the time – I found a cool script that checks syslog for failures on a recurring basis and adds hosts found with more than x bad attempts to /etc/hosts.deny. I’ve got hundreds in my file after a few months.
http://denyhosts.sourceforge.net