Domain-name based ssh login attempts

The last few weeks I have noticed some illicit ssh login attempts that uses parts of the reverse DNS domain name as user name when it tries to login. The last attempt looked like this in my LogWatch summary:

Illegal users from these:
    195.38.107.55 (aquila.euroexpert.tvnet.hu): 9 times
       root/password: 4 times
       cenara/password: 2 times
       ip-83-209-13-88/password: 2 times
       ip-83-209-13-88.cenara.com/password: 1 time

As you can see, the secondary and tertiary domain name, along with the full domain name, was tried as user name when attempting to login. I guess that the attack script tries with a blank password and also with the same password as user name.

 

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.