View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions ssh scans from 64.5.53.57/li-57.members.linode.com
Log in to Ask a Question

ssh scans from 64.5.53.57/li-57.members.linode.com

general

Hello.

Today my server got scanned using a sshd brute-forcer by 64.5.53.57/li-57.members.linode.com - here are some of the logs :

Jan 31 19:20:09 hostname sshd[4600]: Failed password for invalid user alias from 64.5.53.57 port 1481 ssh2

Jan 31 19:20:09 hostname sshd[4600]: Received disconnect from 64.5.53.57: 11: Bye Bye

Jan 31 19:20:13 hostname sshd[15730]: Invalid user office from 64.5.53.57

Jan 31 19:20:13 hostname sshd[18045]: inputuserauthrequest: invalid user office

Jan 31 19:20:13 hostname sshd[18045]: Failed password for invalid user office from 64.5.53.57 port 1516 ssh2

Jan 31 19:20:13 hostname sshd[18045]: Received disconnect from 64.5.53.57: 11: Bye Bye

Jan 31 19:20:14 hostname sshd[10411]: Invalid user samba from 64.5.53.57

Jan 31 19:20:14 hostname sshd[10291]: inputuserauthrequest: invalid user samba

Jan 31 19:20:14 hostname sshd[10291]: Failed password for invalid user samba from 64.5.53.57 port 1602 ssh2

Jan 31 19:20:14 hostname sshd[10291]: Received disconnect from 64.5.53.57: 11: Bye Bye

Jan 31 19:20:15 hostname sshd[19375]: Invalid user tomcat from 64.5.53.57

Jan 31 19:20:15 hostname sshd[19370]: inputuserauthrequest: invalid user tomcat

Jan 31 19:20:15 hostname sshd[19370]: Failed password for invalid user tomcat from 64.5.53.57 port 1635 ssh2

Jan 31 19:20:15 hostname sshd[19370]: Received disconnect from 64.5.53.57: 11: Bye Bye

Jan 31 19:20:19 hostname sshd[15543]: Invalid user webadmin from 64.5.53.57

Jan 31 19:20:19 hostname sshd[23343]: inputuserauthrequest: invalid user webadmin

Jan 31 19:20:19 hostname sshd[23343]: Failed password for invalid user webadmin from 64.5.53.57 port 1676 ssh2

Jan 31 19:20:19 hostname sshd[23343]: Received disconnect from 64.5.53.57: 11: Bye Bye

Jan 31 19:20:19 hostname sshd[1033]: Invalid user spam from 64.5.53.57

Jan 31 19:20:19 hostname sshd[1024]: inputuserauthrequest: invalid user spam

Jan 31 19:20:19 hostname sshd[1024]: Failed password for invalid user spam from 64.5.53.57 port 1846 ssh2

Jan 31 19:20:19 hostname sshd[1024]: Received disconnect from 64.5.53.57: 11: Bye Bye

Jan 31 19:20:20 hostname sshd[23557]: Invalid user virus from 64.5.53.57

Jan 31 19:20:20 hostname sshd[23731]: inputuserauthrequest: invalid user virus

Jan 31 19:20:20 hostname sshd[23731]: Failed password for invalid user virus from 64.5.53.57 port 1867 ssh2

Jan 31 19:20:20 hostname sshd[23731]: Received disconnect from 64.5.53.57: 11: Bye Bye

Jan 31 19:20:21 hostname sshd[14019]: Invalid user cyrus from 64.5.53.57

Jan 31 19:20:21 hostname sshd[1486]: inputuserauthrequest: invalid user cyrus

Jan 31 19:20:21 hostname sshd[1486]: Failed password for invalid user cyrus from 64.5.53.57 port 1913 ssh2

Jan 31 19:20:21 hostname sshd[1486]: Received disconnect from 64.5.53.57: 11: Bye Bye

My OpenBSD firewall detected this (by noticing it was using too many connections in too short a time span) and used PF (PacketFilter, an OBSD firewalling tool) to automatically drop all subsequent packets from this host. I also use skey authentication only, so it wasn't going to affect me. This leads me to suspect the attack was random - anyone that knew my system's security wouldn't bother with such a pointless scan.

The scan was also done by a ssh scanning tool, as detailed here : http://a.mongers.org/muppets/20040808-sshscan-1

So, it looks likely that this host is scanning portions of the internet for vulnurable ssh servers. This means that the server has either been hacked or has a bad user on it who is attempting to build himself a list of valid logins to other hosts on the internet by simply brute forcing the sshds he finds in scans.

Normally I don't bother to report such scans to the ISP of the server that does them, because many ISPs won't bother to do anything about hacked or abused servers. I used to have a linode myself though, so I'm aware of the excellent customer service here and don't want to see linodes used for evil things.

So, if Caker or another member of staff could check that the server hasn't been compromised (and take action if it has), then it would be appreciated.

I'm sure we could all do with less places on the internet randomly scanning servers with sshd brute forcing tools :)

1 Reply

Linode Staff

We're on it. Thanks for the report.

For future reference, we take all abuse reports very seriously, and will work with the customer until the issues are resolved. Anyone else with abuse complaints, please send an email to abuse (at) linode.com.

Thanks again,

-Chris

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct