Not too long ago, someone posted information on a series of attempts to log on via ssh, more or less brute forcing things. I figured I would throw out some of what I've seen which is similar.
I've been seeing a lot of traffic that behaves in similar fashion, across sensors deployed on various ISP's for which the only common link is being a client of mine, and the attacks. I (and more importantly my clients) stay off the radar pretty well, so I am inclined to think this is a scripted process, executed after a root-kit is installed etc. to further the conquest.
If you watch the behavior, and the ascending port numbers, it looks more and more like I am correct. What I find interesting is the sources change over time, and then we see the script trying an even larger number of user names.
Another reference point - I see this a lot more on roadrunner clients than any others. Someone is ramping up for something, looking for launch platforms is my guess. Anyone interested in seeing the entire conversations (rather than the logged info below) can drop me an e-mail and I will obfuscate things and offer 'em up. Due to confidentiality clauses in my contracts, I will have to munge the IPs that I am protecting, and make a mess of the checksums etc.
Oct 16 22:26:01 [obfuscated] sshd[14705]: Failed password for nobody from 62.188.61.214 port 3201 ssh2 Oct 16 22:26:08 [obfuscated] sshd[14712]: input_userauth_request: illegal user patrick Oct 16 22:26:11 [obfuscated] sshd[14712]: Failed password for illegal user patrick from 62.188.61.214 port 1622 ssh2 Oct 16 22:26:18 [obfuscated] sshd[14713]: input_userauth_request: illegal user patrick Oct 16 22:26:21 [obfuscated] sshd[14713]: Failed password for illegal user patrick from 62.188.61.214 port 4104 ssh2 Oct 16 22:26:30 [obfuscated] sshd[14714]: Failed password for root from 62.188.61.214 port 2606 ssh2 Oct 16 22:26:38 [obfuscated] sshd[14715]: Failed password for root from 62.188.61.214 port 4781 ssh2 Oct 16 22:26:50 [obfuscated] sshd[14716]: Failed password for root from 62.188.61.214 port 2941 ssh2
Oct 16 22:25:59 [obfuscated2] sshd(pam_unix)[14705]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com user=nobody Oct 16 22:26:08 [obfuscated2] sshd(pam_unix)[14712]: check pass; user unknown Oct 16 22:26:08 [obfuscated2] sshd(pam_unix)[14712]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com Oct 16 22:26:18 [obfuscated2] sshd(pam_unix)[14713]: check pass; user unknown Oct 16 22:26:18 [obfuscated2] sshd(pam_unix)[14713]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com Oct 16 22:26:27 [obfuscated2] sshd(pam_unix)[14714]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com user=root Oct 16 22:26:36 [obfuscated2] sshd(pam_unix)[14715]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com user=root Oct 16 22:26:47 [obfuscated2] sshd(pam_unix)[14716]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=usern214.dsl.pipex.com user=root
Oct 24 05:01:57 [obfuscated4] sshd(pam_unix)[2541]: check pass; user unknown Oct 24 05:01:57 [obfuscated4] sshd(pam_unix)[2541]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:01 [obfuscated4] sshd(pam_unix)[2548]: check pass; user unknown Oct 24 05:02:01 [obfuscated4] sshd(pam_unix)[2548]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:09 [obfuscated4] sshd(pam_unix)[2549]: check pass; user unknown Oct 24 05:02:09 [obfuscated4] sshd(pam_unix)[2549]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:14 [obfuscated4] sshd(pam_unix)[2550]: check pass; user unknown Oct 24 05:02:14 [obfuscated4] sshd(pam_unix)[2550]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:18 [obfuscated4] sshd(pam_unix)[2551]: check pass; user unknown Oct 24 05:02:18 [obfuscated4] sshd(pam_unix)[2551]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 Oct 24 05:02:22 [obfuscated4] sshd(pam_unix)[2552]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root Oct 24 05:02:26 [obfuscated4] sshd(pam_unix)[2553]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root Oct 24 05:02:34 [obfuscated4] sshd(pam_unix)[2554]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67 user=root Oct 24 05:02:39 [obfuscated4] sshd(pam_unix)[2555]: check pass; user unknown Oct 24 05:02:39 [obfuscated4] sshd(pam_unix)[2555]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=220.70.167.67
Oct 27 15:30:39 [obfuscated3] sshd(pam_unix)[5783]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236 user=nobody Oct 27 15:30:43 [obfuscated3] sshd(pam_unix)[5784]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236 Oct 27 15:30:48 [obfuscated3] sshd(pam_unix)[5785]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.234.105.236 [about 400 more of these] Oct 27 15:30:42 [obfuscated3] sshd[5783]: Failed password for nobody from 211.234.105.236 port 44817 ssh2 Oct 27 15:30:43 [obfuscated3] sshd[5784]: input_userauth_request: illegal user patrick Oct 27 15:30:46 [obfuscated3] sshd[5784]: Failed password for illegal user patrick from 211.234.105.236 port 44944 ssh2 Oct 27 15:30:48 [obfuscated3] sshd[5785]: input_userauth_request: illegal user patrick Oct 27 15:30:50 [obfuscated3] sshd[5785]: Failed password for illegal user patrick from 211.234.105.236 port 45018 ssh2 Oct 27 15:30:54 [obfuscated3] sshd[5786]: Failed password for root from 211.234.105.236 port 45089 ssh2 Oct 27 15:31:04 [obfuscated3] sshd[5788]: Failed password for root from 211.234.105.236 port 45156 ssh2 Oct 27 15:31:08 [obfuscated3] sshd[5796]: Failed password for root from 211.234.105.236 port 45310 ssh2 Oct 27 15:31:13 [obfuscated3] sshd[5799]: Failed password for root from 211.234.105.236 port 45382 ssh2 Oct 27 15:31:17 [obfuscated3] sshd[5800]: Failed password for root from 211.234.105.236 port 45453 ssh2 Oct 27 15:31:21 [obfuscated3] sshd[5801]: input_userauth_request: illegal user rolo Oct 27 15:31:23 [obfuscated3] sshd[5801]: Failed password for illegal user rolo from 211.234.105.236 port 45521 ssh2 Oct 27 15:31:25 [obfuscated3] sshd[5802]: input_userauth_request: illegal user iceuser Oct 27 15:31:27 [obfuscated3] sshd[5802]: Failed password for illegal user iceuser from 211.234.105.236 port 45613 ssh2 Oct 27 15:31:29 [obfuscated3] sshd[5803]: input_userauth_request: illegal user horde Oct 27 15:31:32 [obfuscated3] sshd[5803]: Failed password for illegal user horde from 211.234.105.236 port 45682 ssh2 Oct 27 15:31:34 [obfuscated3] sshd[5804]: input_userauth_request: illegal user cyrus Oct 27 15:31:36 [obfuscated3] sshd[5804]: Failed password for illegal user cyrus from 211.234.105.236 port 45745 ssh2 Oct 27 15:31:39 [obfuscated3] sshd[5805]: input_userauth_request: illegal user www Oct 27 15:31:42 [obfuscated3] sshd[5805]: Failed password for illegal user www from 211.234.105.236 port 45807 ssh2 Oct 27 15:31:47 [obfuscated3] sshd[5806]: input_userauth_request: illegal user wwwrun Oct 27 15:31:49 [obfuscated3] sshd[5806]: Failed password for illegal user wwwrun from 211.234.105.236 port 45881 ssh2 Oct 27 15:31:51 [obfuscated3] sshd[5807]: input_userauth_request: illegal user matt Oct 27 15:31:53 [obfuscated3] sshd[5807]: Failed password for illegal user matt from 211.234.105.236 port 45979 ssh2 Oct 27 15:31:56 [obfuscated3] sshd[5808]: input_userauth_request: illegal user test Oct 27 15:31:58 [obfuscated3] sshd[5808]: Failed password for illegal user test from 211.234.105.236 port 46032 ssh2 Oct 27 15:32:04 [obfuscated3] sshd[5809]: input_userauth_request: illegal user test Oct 27 15:32:06 [obfuscated3] sshd[5809]: Failed password for illegal user test from 211.234.105.236 port 46091 ssh2 Oct 27 15:32:08 [obfuscated3] sshd[5816]: input_userauth_request: illegal user test Oct 27 15:32:10 [obfuscated3] sshd[5816]: Failed password for illegal user test from 211.234.105.236 port 46179 ssh2 Oct 27 15:32:12 [obfuscated3] sshd[5817]: input_userauth_request: illegal user test Oct 27 15:32:15 [obfuscated3] sshd[5817]: Failed password for illegal user test from 211.234.105.236 port 46224 ssh2 Oct 27 15:32:17 [obfuscated3] sshd[5818]: input_userauth_request: illegal user www-data Oct 27 15:32:19 [obfuscated3] sshd[5818]: Failed password for illegal user www-data from 211.234.105.236 port 46267 ssh2 Oct 27 15:32:21 [obfuscated3] sshd[5821]: input_userauth_request: illegal user mysql Oct 27 15:32:28 [obfuscated3] sshd[5821]: Failed password for illegal user mysql from 211.234.105.236 port 46310 ssh2 Oct 27 15:32:34 [obfuscated3] sshd[5826]: Failed password for operator from 211.234.105.236 port 46401 ssh2 Oct 27 15:32:41 [obfuscated3] sshd[5829]: Failed password for adm from 211.234.105.236 port 46448 ssh2 Oct 27 15:32:49 [obfuscated3] sshd[5830]: Failed password for apache from 211.234.105.236 port 46506 ssh2 Oct 27 15:32:51 [obfuscated3] sshd[5831]: input_userauth_request: illegal user irc Oct 27 15:32:53 [obfuscated3] sshd[5831]: Failed password for illegal user irc from 211.234.105.236 port 46560 ssh2 Oct 27 15:32:55 [obfuscated3] sshd[5834]: input_userauth_request: illegal user irc Oct 27 15:32:57 [obfuscated3] sshd[5834]: Failed password for illegal user irc from 211.234.105.236 port 46589 ssh2 Oct 27 15:33:03 [obfuscated3] sshd[5835]: Failed password for adm from 211.234.105.236 port 46620 ssh2 Oct 27 15:33:07 [obfuscated3] sshd[5844]: Failed password for root from 211.234.105.236 port 46655 ssh2 Oct 27 15:33:11 [obfuscated3] sshd[5845]: Failed password for root from 211.234.105.236 port 46686 ssh2 Oct 27 15:33:16 [obfuscated3] sshd[5846]: Failed password for root from 211.234.105.236 port 46713 ssh2 Oct 27 15:33:18 [obfuscated3] sshd[5847]: input_userauth_request: illegal user jane Oct 27 15:33:20 [obfuscated3] sshd[5847]: Failed password for illegal user jane from 211.234.105.236 port 46737 ssh2 Oct 27 15:33:26 [obfuscated3] sshd[5850]: input_userauth_request: illegal user pamela Oct 27 15:33:29 [obfuscated3] sshd[5850]: Failed password for illegal user pamela from 211.234.105.236 port 46766 ssh2 Oct 27 15:33:34 [obfuscated3] sshd[5851]: Failed password for root from 211.234.105.236 port 46819 ssh2 Oct 27 15:33:39 [obfuscated3] sshd[5853]: Failed password for root from 211.234.105.236 port 46849 ssh2 Oct 27 15:33:49 [obfuscated3] sshd[5855]: Failed password for root from 211.234.105.236 port 46874 ssh2 Oct 27 15:33:55 [obfuscated3] sshd[5856]: Failed password for root from 211.234.105.236 port 46929 ssh2 Oct 27 15:34:04 [obfuscated3] sshd[5861]: Failed password for root from 211.234.105.236 port 46959 ssh2 Oct 27 15:34:06 [obfuscated3] sshd[5870]: input_userauth_request: illegal user cosmin Oct 27 15:34:14 [obfuscated3] sshd[5870]: Failed password for illegal user cosmin from 211.234.105.236 port 47009 ssh2 Oct 27 15:34:18 [obfuscated3] sshd[5874]: Failed password for root from 211.234.105.236 port 47049 ssh2 Oct 27 15:34:24 [obfuscated3] sshd[5875]: Failed password for root from 211.234.105.236 port 47064 ssh2 Oct 27 15:34:28 [obfuscated3] sshd[5879]: Failed password for root from 211.234.105.236 port 47083 ssh2 Oct 27 15:34:32 [obfuscated3] sshd[5880]: Failed password for root from 211.234.105.236 port 47100 ssh2 Oct 27 15:34:37 [obfuscated3] sshd[5882]: Failed password for root from 211.234.105.236 port 47114 ssh2 Oct 27 15:34:41 [obfuscated3] sshd[5883]: Failed password for root from 211.234.105.236 port 47128 ssh2 Oct 27 15:34:51 [obfuscated3] sshd[5887]: Failed password for root from 211.234.105.236 port 47141 ssh2