Derzeit großes SSH-Botnetz aktiv?

GwenDragon · Dec 24, 2014

Sieht so aus als wär derzeit ein großes SSH-Botnetz am Leben.
Interessant, dass es weiderholt Usernamen PlcmSpIp und vyatta, sind die probiert werden.
Die server sind weltweit verstreut.
Mehere Hundert Loginversuche in der Stunde auf manche Ziele.
Ausschnitt eines Logs:

Code:

Dec 24 01:01:15 server1276 sshd[5377]: Invalid user PlcmSpIp from 62.255.174.119
Dec 24 01:01:16 server1276 sshd[5377]: Failed password for invalid user PlcmSpIp from 62.255.174.119 port 43028 ssh2
Dec 24 01:01:16 server1276 sshd[5377]: Received disconnect from 62.255.174.119: 11: Bye Bye [preauth]
Dec 24 01:01:17 server1276 sshd[5379]: Invalid user vyatta from 62.255.174.119
...
Dec 24 05:39:38 server1276 sshd[11783]: Invalid user PlcmSpIp from 37.205.60.194
Dec 24 05:39:38 server1276 sshd[11783]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=37.205.60.194 
Dec 24 05:39:40 server1276 sshd[11783]: Failed password for invalid user PlcmSpIp from 37.205.60.194 port 43611 ssh2
Dec 24 05:39:40 server1276 sshd[11783]: Received disconnect from 37.205.60.194: 11: Bye Bye [preauth]
Dec 24 05:39:41 server1276 sshd[11785]: Invalid user vyatta from 37.205.60.194
Dec 24 05:39:41 server1276 sshd[11785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=37.205.60.194

Hat es bei euch auch so einen Anstieg der SSH-Angriffe gegeben?

vb-server · Dec 24, 2014

Ja:

Code:

Dec 21 06:44:21 oob sshd[9709]: Invalid user vyatta from 50.31.0.49
Dec 21 06:44:21 oob sshd[9709]: input_userauth_request: invalid user vyatta [preauth]
Dec 21 06:44:36 oob sshd[9742]: Invalid user PlcmSpIp from 50.31.0.49
Dec 21 06:44:36 oob sshd[9742]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 21 12:53:00 oob sshd[21213]: Invalid user vyatta from 212.227.132.94
Dec 21 12:53:00 oob sshd[21213]: input_userauth_request: invalid user vyatta [preauth]
Dec 21 12:53:11 oob sshd[21239]: Invalid user PlcmSpIp from 212.227.132.94
Dec 21 12:53:11 oob sshd[21239]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 21 14:48:31 oob sshd[24547]: Invalid user vyatta from 217.170.194.67
Dec 21 14:48:31 oob sshd[24547]: input_userauth_request: invalid user vyatta [preauth]
Dec 22 17:57:00 oob sshd[10517]: Invalid user vyatta from 62.14.231.74
Dec 22 17:57:00 oob sshd[10517]: input_userauth_request: invalid user vyatta [preauth]
Dec 22 17:57:06 oob sshd[10543]: Invalid user PlcmSpIp from 62.14.231.74
Dec 22 17:57:06 oob sshd[10543]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 22 22:59:32 oob sshd[19185]: Invalid user vyatta from 95.130.170.231
Dec 22 22:59:32 oob sshd[19185]: input_userauth_request: invalid user vyatta [preauth]
Dec 22 22:59:43 oob sshd[19251]: Invalid user PlcmSpIp from 95.130.170.231
Dec 22 22:59:43 oob sshd[19251]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 22 23:50:21 oob sshd[20753]: Invalid user vyatta from 67.90.177.222
Dec 22 23:50:21 oob sshd[20753]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 00:00:20 oob sshd[21089]: Invalid user vyatta from 74.62.217.226
Dec 23 00:00:20 oob sshd[21089]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 00:20:02 oob sshd[21652]: Invalid user vyatta from 69.17.158.101
Dec 23 00:20:02 oob sshd[21652]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 00:21:43 oob sshd[21928]: Invalid user vyatta from 83.234.207.60
Dec 23 00:21:43 oob sshd[21928]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 00:21:53 oob sshd[21956]: Invalid user PlcmSpIp from 83.234.207.60
Dec 23 00:21:53 oob sshd[21956]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 00:24:03 oob sshd[21997]: Invalid user vyatta from 61.108.29.17
Dec 23 00:24:03 oob sshd[21997]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 00:32:04 oob sshd[22316]: Invalid user vyatta from 61.183.22.139
Dec 23 00:32:04 oob sshd[22316]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 00:36:41 oob sshd[22370]: Invalid user vyatta from 76.74.254.246
Dec 23 00:36:41 oob sshd[22370]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 00:36:45 oob sshd[22384]: Invalid user vyatta from 93.89.237.90
Dec 23 00:36:45 oob sshd[22384]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 00:36:55 oob sshd[22422]: Invalid user PlcmSpIp from 93.89.237.90
Dec 23 00:36:55 oob sshd[22422]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 00:37:00 oob sshd[22439]: Invalid user PlcmSpIp from 76.74.254.246
Dec 23 00:37:00 oob sshd[22439]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 00:46:12 oob sshd[22742]: Invalid user vyatta from 61.128.122.76
Dec 23 00:46:12 oob sshd[22742]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 01:30:07 oob sshd[23976]: Invalid user vyatta from 92.61.37.32
Dec 23 01:30:07 oob sshd[23976]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 01:30:13 oob sshd[24002]: Invalid user PlcmSpIp from 92.61.37.32
Dec 23 01:30:13 oob sshd[24002]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 01:53:09 oob sshd[24876]: Invalid user vyatta from 62.193.228.160
Dec 23 01:53:09 oob sshd[24876]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 01:53:14 oob sshd[24902]: Invalid user PlcmSpIp from 62.193.228.160
Dec 23 01:53:14 oob sshd[24902]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 02:25:30 oob sshd[25850]: Invalid user PlcmSpIp from 42.62.29.54
Dec 23 02:25:30 oob sshd[25850]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 02:25:31 oob sshd[25852]: Invalid user vyatta from 42.62.29.54
Dec 23 02:25:31 oob sshd[25852]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 02:48:09 oob sshd[26499]: Invalid user PlcmSpIp from 92.61.46.145
Dec 23 02:48:09 oob sshd[26499]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 02:48:10 oob sshd[26501]: Invalid user vyatta from 92.61.46.145
Dec 23 02:48:10 oob sshd[26501]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 03:19:17 oob sshd[27431]: Invalid user PlcmSpIp from 58.12.73.91
Dec 23 03:19:17 oob sshd[27431]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 03:19:20 oob sshd[27433]: Invalid user vyatta from 58.12.73.91
Dec 23 03:19:20 oob sshd[27433]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 03:39:19 oob sshd[28050]: Invalid user PlcmSpIp from 85.95.246.191
Dec 23 03:39:19 oob sshd[28050]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 03:39:22 oob sshd[28055]: Invalid user vyatta from 85.95.246.191
Dec 23 03:39:22 oob sshd[28055]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 03:46:39 oob sshd[28359]: Invalid user PlcmSpIp from 212.55.218.134
Dec 23 03:46:39 oob sshd[28359]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 03:46:40 oob sshd[28361]: Invalid user vyatta from 212.55.218.134
Dec 23 03:46:40 oob sshd[28361]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 04:20:21 oob sshd[29315]: Invalid user PlcmSpIp from 124.205.215.184
Dec 23 04:20:21 oob sshd[29315]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 04:20:24 oob sshd[29317]: Invalid user vyatta from 124.205.215.184
Dec 23 04:20:24 oob sshd[29317]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 04:58:39 oob sshd[30478]: Invalid user PlcmSpIp from 203.124.41.85
Dec 23 04:58:39 oob sshd[30478]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 04:58:42 oob sshd[30482]: Invalid user PlcmSpIp from 212.227.22.98
Dec 23 04:58:42 oob sshd[30482]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 04:58:42 oob sshd[30480]: Invalid user vyatta from 203.124.41.85
Dec 23 04:58:42 oob sshd[30480]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 04:58:42 oob sshd[30484]: Invalid user vyatta from 212.227.22.98
Dec 23 04:58:42 oob sshd[30484]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 05:02:24 oob sshd[30614]: Invalid user PlcmSpIp from 220.191.204.238
Dec 23 05:02:24 oob sshd[30614]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 05:02:28 oob sshd[30616]: Invalid user vyatta from 220.191.204.238
Dec 23 05:02:28 oob sshd[30616]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 06:27:16 oob sshd[791]: Invalid user PlcmSpIp from 220.90.18.106
Dec 23 06:27:16 oob sshd[791]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 06:27:19 oob sshd[793]: Invalid user vyatta from 220.90.18.106
Dec 23 06:27:19 oob sshd[793]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 06:31:12 oob sshd[852]: Invalid user PlcmSpIp from 59.120.151.118
Dec 23 06:31:12 oob sshd[852]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 06:36:13 oob sshd[964]: Invalid user PlcmSpIp from 220.194.46.36
Dec 23 06:36:13 oob sshd[964]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 06:36:20 oob sshd[966]: Invalid user vyatta from 220.194.46.36
Dec 23 06:36:20 oob sshd[966]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 07:13:23 oob sshd[3367]: Invalid user PlcmSpIp from 85.25.109.205
Dec 23 07:13:23 oob sshd[3367]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 07:13:23 oob sshd[3369]: Invalid user vyatta from 85.25.109.205
Dec 23 07:13:23 oob sshd[3369]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 07:45:52 oob sshd[4319]: Invalid user PlcmSpIp from 41.226.27.95
Dec 23 07:45:52 oob sshd[4319]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 07:45:53 oob sshd[4321]: Invalid user vyatta from 41.226.27.95
Dec 23 07:45:53 oob sshd[4321]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 07:54:58 oob sshd[4645]: Invalid user PlcmSpIp from 60.206.40.81
Dec 23 07:54:58 oob sshd[4645]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 07:55:01 oob sshd[4647]: Invalid user vyatta from 60.206.40.81
Dec 23 07:55:01 oob sshd[4647]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 08:49:23 oob sshd[6388]: Invalid user PlcmSpIp from 185.19.94.207
Dec 23 08:49:23 oob sshd[6388]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 08:49:24 oob sshd[6390]: Invalid user vyatta from 185.19.94.207
Dec 23 08:49:24 oob sshd[6390]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 08:55:58 oob sshd[6483]: Invalid user PlcmSpIp from 206.34.121.11
Dec 23 08:55:58 oob sshd[6483]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 08:55:59 oob sshd[6485]: Invalid user vyatta from 206.34.121.11
Dec 23 08:55:59 oob sshd[6485]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 09:01:22 oob sshd[6808]: Invalid user PlcmSpIp from 216.185.98.10
Dec 23 09:01:22 oob sshd[6808]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 09:01:25 oob sshd[6810]: Invalid user vyatta from 216.185.98.10
Dec 23 09:01:25 oob sshd[6810]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 09:49:44 oob sshd[8278]: Invalid user PlcmSpIp from 69.67.31.230
Dec 23 09:49:44 oob sshd[8278]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 09:49:48 oob sshd[8280]: Invalid user vyatta from 69.67.31.230
Dec 23 09:49:48 oob sshd[8280]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 11:24:51 oob sshd[11137]: Invalid user PlcmSpIp from 87.106.69.85
Dec 23 11:24:51 oob sshd[11137]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 11:24:52 oob sshd[11139]: Invalid user vyatta from 87.106.69.85
Dec 23 11:24:52 oob sshd[11139]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 11:56:42 oob sshd[12076]: Invalid user PlcmSpIp from 178.77.100.14
Dec 23 11:56:42 oob sshd[12076]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 12:41:59 oob sshd[13367]: Invalid user PlcmSpIp from 211.144.118.22
Dec 23 12:41:59 oob sshd[13367]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 12:42:03 oob sshd[13369]: Invalid user vyatta from 211.144.118.22
Dec 23 12:42:03 oob sshd[13369]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 12:45:38 oob sshd[13543]: Invalid user PlcmSpIp from 87.106.3.208
Dec 23 12:45:38 oob sshd[13543]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 12:45:38 oob sshd[13545]: Invalid user vyatta from 87.106.3.208
Dec 23 12:45:38 oob sshd[13545]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 13:22:33 oob sshd[14617]: Invalid user PlcmSpIp from 64.88.203.194
Dec 23 13:22:33 oob sshd[14617]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 13:22:35 oob sshd[14619]: Invalid user vyatta from 64.88.203.194
Dec 23 13:22:35 oob sshd[14619]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 13:34:12 oob sshd[15128]: Invalid user PlcmSpIp from 209.90.101.137
Dec 23 13:34:12 oob sshd[15128]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 13:34:13 oob sshd[15130]: Invalid user vyatta from 209.90.101.137
Dec 23 13:34:13 oob sshd[15130]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 13:39:28 oob sshd[15196]: Invalid user PlcmSpIp from 62.245.157.163
Dec 23 13:39:28 oob sshd[15196]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 13:39:28 oob sshd[15198]: Invalid user vyatta from 62.245.157.163
Dec 23 13:39:28 oob sshd[15198]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 13:40:14 oob sshd[15256]: Invalid user PlcmSpIp from 82.98.168.5
Dec 23 13:40:14 oob sshd[15256]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 13:40:15 oob sshd[15258]: Invalid user vyatta from 82.98.168.5
Dec 23 13:40:15 oob sshd[15258]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 14:28:10 oob sshd[16807]: Invalid user PlcmSpIp from 203.186.202.169
Dec 23 14:28:10 oob sshd[16807]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 14:28:13 oob sshd[16809]: Invalid user vyatta from 203.186.202.169
Dec 23 14:28:13 oob sshd[16809]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 14:44:24 oob sshd[17403]: Invalid user PlcmSpIp from 50.57.224.118
Dec 23 14:44:24 oob sshd[17403]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 14:44:25 oob sshd[17405]: Invalid user vyatta from 50.57.224.118
Dec 23 14:44:25 oob sshd[17405]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 14:52:17 oob sshd[17489]: Invalid user PlcmSpIp from 62.75.144.210
Dec 23 14:52:17 oob sshd[17489]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 14:52:17 oob sshd[17491]: Invalid user vyatta from 62.75.144.210
Dec 23 14:52:17 oob sshd[17491]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 15:06:06 oob sshd[18110]: Invalid user PlcmSpIp from 72.55.156.210
Dec 23 15:06:06 oob sshd[18110]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 15:06:07 oob sshd[18112]: Invalid user vyatta from 72.55.156.210
Dec 23 15:06:07 oob sshd[18112]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 15:35:44 oob sshd[19037]: Invalid user PlcmSpIp from 61.132.72.110
Dec 23 15:35:44 oob sshd[19037]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 15:35:45 oob sshd[19039]: Invalid user PlcmSpIp from 61.132.72.110
Dec 23 15:35:45 oob sshd[19039]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 15:35:46 oob sshd[19041]: Invalid user vyatta from 61.132.72.110
Dec 23 15:35:46 oob sshd[19041]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 15:35:49 oob sshd[19043]: Invalid user vyatta from 61.132.72.110
Dec 23 15:35:49 oob sshd[19043]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 15:35:59 oob sshd[19059]: Invalid user PlcmSpIp from 61.132.72.110
Dec 23 15:35:59 oob sshd[19059]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 15:36:04 oob sshd[19066]: Invalid user vyatta from 61.132.72.110
Dec 23 15:36:04 oob sshd[19066]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 15:38:00 oob sshd[19095]: Invalid user PlcmSpIp from 60.213.190.98
Dec 23 15:38:00 oob sshd[19095]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 15:38:07 oob sshd[19097]: Invalid user vyatta from 60.213.190.98
Dec 23 15:38:07 oob sshd[19097]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 15:47:10 oob sshd[19394]: Invalid user PlcmSpIp from 203.94.229.152
Dec 23 15:47:10 oob sshd[19394]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 15:47:11 oob sshd[19396]: Invalid user vyatta from 203.94.229.152
Dec 23 15:47:11 oob sshd[19396]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 17:08:46 oob sshd[21770]: Invalid user PlcmSpIp from 91.135.237.51
Dec 23 17:08:46 oob sshd[21770]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 17:08:46 oob sshd[21772]: Invalid user vyatta from 91.135.237.51
Dec 23 17:08:46 oob sshd[21772]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 17:23:41 oob sshd[22151]: Invalid user PlcmSpIp from 77.236.99.183
Dec 23 17:23:41 oob sshd[22151]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 17:23:43 oob sshd[22153]: Invalid user vyatta from 77.236.99.183
Dec 23 17:23:43 oob sshd[22153]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 17:28:59 oob sshd[22473]: Invalid user PlcmSpIp from 66.240.231.161
Dec 23 17:28:59 oob sshd[22473]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 17:29:02 oob sshd[22475]: Invalid user vyatta from 66.240.231.161
Dec 23 17:29:02 oob sshd[22475]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 18:37:58 oob sshd[24536]: Invalid user PlcmSpIp from 88.131.111.212
Dec 23 18:37:58 oob sshd[24536]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 18:37:59 oob sshd[24538]: Invalid user vyatta from 88.131.111.212
Dec 23 18:37:59 oob sshd[24538]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 19:32:09 oob sshd[26041]: Invalid user PlcmSpIp from 58.215.176.234
Dec 23 19:32:09 oob sshd[26041]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 19:32:15 oob sshd[26043]: Invalid user vyatta from 58.215.176.234
Dec 23 19:32:15 oob sshd[26043]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 19:42:55 oob sshd[26365]: Invalid user PlcmSpIp from 92.51.145.246
Dec 23 19:42:55 oob sshd[26365]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 19:42:55 oob sshd[26367]: Invalid user vyatta from 92.51.145.246
Dec 23 19:42:55 oob sshd[26367]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 19:52:11 oob sshd[26664]: Invalid user PlcmSpIp from 59.152.205.215
Dec 23 19:52:11 oob sshd[26664]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 19:52:14 oob sshd[26666]: Invalid user vyatta from 59.152.205.215
Dec 23 19:52:14 oob sshd[26666]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 21:04:35 oob sshd[28804]: Invalid user PlcmSpIp from 87.230.18.89
Dec 23 21:04:35 oob sshd[28804]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 21:04:35 oob sshd[28806]: Invalid user vyatta from 87.230.18.89
Dec 23 21:04:35 oob sshd[28806]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 23:10:55 oob sshd[32621]: Invalid user PlcmSpIp from 222.73.226.7
Dec 23 23:10:55 oob sshd[32621]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 23:11:00 oob sshd[32629]: Invalid user vyatta from 222.73.226.7
Dec 23 23:11:00 oob sshd[32629]: input_userauth_request: invalid user vyatta [preauth]
Dec 23 23:46:49 oob sshd[1164]: Invalid user PlcmSpIp from 41.65.162.46
Dec 23 23:46:49 oob sshd[1164]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 23 23:46:50 oob sshd[1166]: Invalid user vyatta from 41.65.162.46
Dec 23 23:46:50 oob sshd[1166]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 00:23:10 oob sshd[2295]: Invalid user PlcmSpIp from 66.85.155.34
Dec 24 00:23:10 oob sshd[2295]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 00:23:12 oob sshd[2297]: Invalid user vyatta from 66.85.155.34
Dec 24 00:23:12 oob sshd[2297]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 01:13:39 oob sshd[3809]: Invalid user PlcmSpIp from 58.215.187.19
Dec 24 01:13:39 oob sshd[3809]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 01:13:43 oob sshd[3811]: Invalid user vyatta from 58.215.187.19
Dec 24 01:13:43 oob sshd[3811]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 01:45:46 oob sshd[4723]: Invalid user PlcmSpIp from 173.12.246.241
Dec 24 01:45:46 oob sshd[4723]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 01:45:48 oob sshd[4731]: Invalid user vyatta from 173.12.246.241
Dec 24 01:45:48 oob sshd[4731]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 01:53:01 oob sshd[4999]: Invalid user PlcmSpIp from 49.236.204.180
Dec 24 01:53:01 oob sshd[4999]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 01:53:03 oob sshd[5001]: Invalid user vyatta from 49.236.204.180
Dec 24 01:53:03 oob sshd[5001]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 02:48:52 oob sshd[6663]: Invalid user PlcmSpIp from 61.213.96.39
Dec 24 02:48:52 oob sshd[6663]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 04:35:29 oob sshd[9746]: Invalid user PlcmSpIp from 212.227.138.118
Dec 24 04:35:29 oob sshd[9746]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 04:35:29 oob sshd[9748]: Invalid user vyatta from 212.227.138.118
Dec 24 04:35:29 oob sshd[9748]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 04:58:28 oob sshd[10404]: Invalid user PlcmSpIp from 222.173.145.34
Dec 24 04:58:28 oob sshd[10404]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 04:58:33 oob sshd[10406]: Invalid user vyatta from 222.173.145.34
Dec 24 04:58:33 oob sshd[10406]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 05:30:01 oob sshd[11479]: Invalid user PlcmSpIp from 222.223.51.36
Dec 24 05:30:01 oob sshd[11479]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 05:30:03 oob sshd[11487]: Invalid user vyatta from 222.223.51.36
Dec 24 05:30:03 oob sshd[11487]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 07:44:45 oob sshd[17039]: Invalid user PlcmSpIp from 212.141.54.155
Dec 24 07:44:45 oob sshd[17039]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 07:44:47 oob sshd[17041]: Invalid user vyatta from 212.141.54.155
Dec 24 07:44:47 oob sshd[17041]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 08:30:57 oob sshd[18459]: Invalid user PlcmSpIp from 46.235.41.10
Dec 24 08:30:57 oob sshd[18459]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 08:30:58 oob sshd[18461]: Invalid user vyatta from 46.235.41.10
Dec 24 08:30:58 oob sshd[18461]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 08:42:16 oob sshd[18963]: Invalid user PlcmSpIp from 62.255.174.98
Dec 24 08:42:16 oob sshd[18963]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 08:42:16 oob sshd[18965]: Invalid user vyatta from 62.255.174.98
Dec 24 08:42:16 oob sshd[18965]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 08:49:23 oob sshd[19063]: Invalid user PlcmSpIp from 61.152.157.50
Dec 24 08:49:23 oob sshd[19063]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 08:49:29 oob sshd[19065]: Invalid user vyatta from 61.152.157.50
Dec 24 08:49:29 oob sshd[19065]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 09:05:08 oob sshd[19637]: Invalid user PlcmSpIp from 46.244.10.26
Dec 24 09:05:08 oob sshd[19637]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 09:05:08 oob sshd[19639]: Invalid user vyatta from 46.244.10.26
Dec 24 09:05:08 oob sshd[19639]: input_userauth_request: invalid user vyatta [preauth]
Dec 24 09:49:37 oob sshd[20887]: Invalid user PlcmSpIp from 68.116.62.75
Dec 24 09:49:37 oob sshd[20887]: input_userauth_request: invalid user PlcmSpIp [preauth]
Dec 24 09:49:38 oob sshd[20889]: Invalid user vyatta from 68.116.62.75
Dec 24 09:49:38 oob sshd[20889]: input_userauth_request: invalid user vyatta [preauth]

Deleted member 15972 · Dec 24, 2014

Kann ich bestätigen, bei mir ist Fail2ban auch schon sehr aktiv:

Code:

2014-12-21 07:15:07,527 fail2ban.actions[1900]: WARNING [ssh] Unban 31.184.194.114
2014-12-21 10:02:26,615 fail2ban.actions[1900]: WARNING [ssh] Ban 218.26.11.118
2014-12-21 17:08:24,348 fail2ban.actions[1900]: WARNING [ssh] Unban 119.61.7.43
2014-12-21 18:20:16,463 fail2ban.actions[1900]: WARNING [ssh] Ban 203.94.229.152
2014-12-21 19:01:33,868 fail2ban.actions[1900]: WARNING [ssh] Unban 195.94.234.86
2014-12-21 20:48:30,901 fail2ban.actions[1900]: WARNING [ssh] Ban 212.227.132.94
2014-12-21 22:31:37,658 fail2ban.actions[1900]: WARNING [ssh] Ban 61.132.161.130
2014-12-22 08:41:11,386 fail2ban.actions[1900]: WARNING [ssh] Ban 60.191.16.245
2014-12-22 10:02:26,883 fail2ban.actions[1900]: WARNING [ssh] Unban 218.26.11.118
2014-12-22 18:20:16,486 fail2ban.actions[1900]: WARNING [ssh] Unban 203.94.229.152
2014-12-22 18:33:12,227 fail2ban.actions[1900]: WARNING [ssh] Ban 221.208.245.210
2014-12-22 20:48:31,712 fail2ban.actions[1900]: WARNING [ssh] Unban 212.227.132.94
2014-12-22 21:43:10,730 fail2ban.actions[1900]: WARNING [ssh] Ban 212.227.132.94
2014-12-22 22:28:46,221 fail2ban.actions[1900]: WARNING [ssh] Ban 60.250.122.145
2014-12-22 22:31:38,396 fail2ban.actions[1900]: WARNING [ssh] Unban 61.132.161.130
2014-12-22 22:39:37,853 fail2ban.actions[1900]: WARNING [ssh] Ban 87.118.120.17
2014-12-22 22:53:42,620 fail2ban.actions[1900]: WARNING [ssh] Ban 82.98.168.5
2014-12-22 23:16:31,871 fail2ban.actions[1900]: WARNING [ssh] Ban 66.79.164.34
2014-12-23 00:50:05,107 fail2ban.actions[1900]: WARNING [ssh] Ban 71.179.168.28
2014-12-23 00:51:47,208 fail2ban.actions[1900]: WARNING [ssh] Ban 82.165.134.218
2014-12-23 00:59:26,622 fail2ban.actions[1900]: WARNING [ssh] Ban 31.210.42.34
2014-12-23 01:38:27,798 fail2ban.actions[1900]: WARNING [ssh] Ban 85.214.128.102
2014-12-23 02:05:55,319 fail2ban.actions[1900]: WARNING [ssh] Ban 69.94.24.211
2014-12-23 02:29:19,624 fail2ban.actions[1900]: WARNING [ssh] Ban 27.34.140.99
2014-12-23 02:33:27,850 fail2ban.actions[1900]: WARNING [ssh] Ban 94.127.185.186
2014-12-23 02:58:27,243 fail2ban.actions[1900]: WARNING [ssh] Ban 59.125.40.36
2014-12-23 02:59:58,333 fail2ban.actions[1900]: WARNING [ssh] Ban 69.60.114.242
2014-12-23 03:07:42,749 fail2ban.actions[1900]: WARNING [ssh] Ban 125.253.124.40
2014-12-23 03:25:01,705 fail2ban.actions[1900]: WARNING [ssh] Ban 54.225.94.156
2014-12-23 03:25:11,725 fail2ban.actions[1900]: WARNING [ssh] Ban 203.129.32.144
2014-12-23 03:33:18,174 fail2ban.actions[1900]: WARNING [ssh] Ban 162.223.210.250
2014-12-23 03:42:33,684 fail2ban.actions[1900]: WARNING [ssh] Ban 23.25.1.29
2014-12-23 03:50:37,139 fail2ban.actions[1900]: WARNING [ssh] Ban 219.239.33.5
2014-12-23 04:14:14,436 fail2ban.actions[1900]: WARNING [ssh] Ban 82.165.139.87
2014-12-23 04:14:57,489 fail2ban.actions[1900]: WARNING [ssh] Ban 69.67.53.74
2014-12-23 04:22:48,935 fail2ban.actions[1900]: WARNING [ssh] Ban 58.215.184.190
2014-12-23 04:22:52,947 fail2ban.actions[1900]: WARNING [ssh] Ban 125.141.199.225
2014-12-23 04:32:42,503 fail2ban.actions[1900]: WARNING [ssh] Ban 62.233.108.169
2014-12-23 04:39:48,903 fail2ban.actions[1900]: WARNING [ssh] Ban 211.154.139.196
2014-12-23 04:46:29,290 fail2ban.actions[1900]: WARNING [ssh] Ban 66.240.231.161
2014-12-23 04:59:14,021 fail2ban.actions[1900]: WARNING [ssh] Ban 222.87.19.131
2014-12-23 05:26:42,541 fail2ban.actions[1900]: WARNING [ssh] Ban 61.132.72.110
2014-12-23 05:29:23,696 fail2ban.actions[1900]: WARNING [ssh] Ban 195.22.18.187
2014-12-23 06:02:43,584 fail2ban.actions[1900]: WARNING [ssh] Ban 87.106.190.244
2014-12-23 06:22:51,729 fail2ban.actions[1900]: WARNING [ssh] Ban 202.152.32.190
2014-12-23 06:23:04,751 fail2ban.actions[1900]: WARNING [ssh] Ban 103.10.151.156
2014-12-23 06:37:19,560 fail2ban.actions[1900]: WARNING [ssh] Ban 95.130.170.122
2014-12-23 07:05:07,138 fail2ban.actions[1900]: WARNING [ssh] Ban 91.227.68.144
2014-12-23 08:41:11,524 fail2ban.actions[1900]: WARNING [ssh] Unban 60.191.16.245
2014-12-23 09:47:56,436 fail2ban.actions[1900]: WARNING [ssh] Ban 213.165.83.15
2014-12-23 09:48:24,471 fail2ban.actions[1900]: WARNING [ssh] Ban 210.107.178.76
2014-12-23 09:55:28,896 fail2ban.actions[1900]: WARNING [ssh] Ban 69.32.224.129
2014-12-23 10:42:40,666 fail2ban.actions[1900]: WARNING [ssh] Ban 66.135.38.20
2014-12-23 10:43:06,700 fail2ban.actions[1900]: WARNING [ssh] Ban 61.143.236.193
2014-12-23 11:08:11,138 fail2ban.actions[1900]: WARNING [ssh] Ban 89.233.175.169
2014-12-23 11:28:19,300 fail2ban.actions[1900]: WARNING [ssh] Ban 61.58.35.74
2014-12-23 11:28:35,325 fail2ban.actions[1900]: WARNING [ssh] Ban 65.99.213.88

kancu · Dec 24, 2014

Bei mir ist Ruhe.

Liegt vielleicht auch daran, dass ich den Port geändert habe?

Lord Gurke · Dec 24, 2014

Ist aber schon seit einiger Zeit bekannt:
http://www.heise.de/security/meldung/l-f-Angriffswelle-auf-SSH-Server-2489006.html

Ich würde ja fast wetten, dass die Welle während dem 31C3 noch deutlich zunimmt und dann wieder verschwindet

GwenDragon · Dec 24, 2014

Heise Meldung kenne ich.

Bei mir hat sich das Angriffszenario erst seit 21.12 bemerkbar gemacht, deswegen vermutete ich ein weiteres neues Botnetz.

Lord Gurke · Dec 25, 2014

Das scheint in der Tat entweder ein neues Botnetz oder eine zweite Angriffswelle zu sein...
Vyatta wird auf einigen Routern (z.B. von Ubiquity) eingesetzt, "PlcmSpIp" ist offenbar ein auf Polycom-SIP-Telefonen vorkommender Benutzeraccount, der mit Standardpasswörtern funktioniert.
Da gibt es sogar seit 2009 Berichte über erfolgreiche Logins dieser Art

Derzeit großes SSH-Botnetz aktiv?

GwenDragon

Registered User

vb-server

Registered User

Deleted member 15972

Guest

kancu

New Member

Lord Gurke

Nur echt mit 32 Zähnen

GwenDragon

Registered User

Lord Gurke

Nur echt mit 32 Zähnen

We value your privacy