Annoying Little Knuckleheads

I think I previously mentioned that I get a lot of bad user attempts against my sshd.  Most of them were coming from PC’s in China, but I got one from somewhere in Oklahoma last night on Cox’s cable internet service.  I’ve reported it to Cox’s abuse department, although I don’t have high hopes of getting a response or of them taking action.

This is what it looks like:

Sep 2 02:49:35 dominion sshd[22218]: Illegal user sifak from ::ffff:68.12.255.97
Sep 2 02:49:37 dominion sshd[22220]: Illegal user slasher from ::ffff:68.12.255.97
Sep 2 02:49:39 dominion sshd[22306]: Illegal user fluffy from ::ffff:68.12.255.97
Sep 2 02:49:41 dominion sshd[22308]: Illegal user admin from ::ffff:68.12.255.97
Sep 2 02:49:43 dominion sshd[22310]: Illegal user test from ::ffff:68.12.255.97
Sep 2 02:49:45 dominion sshd[22312]: Illegal user guest from ::ffff:68.12.255.97
Sep 2 02:49:47 dominion sshd[22314]: Illegal user webmaster from ::ffff:68.12.255.97
Sep 2 02:49:52 dominion sshd[22318]: Illegal user oracle from ::ffff:68.12.255.97
Sep 2 02:49:54 dominion sshd[22404]: Illegal user library from ::ffff:68.12.255.97
Sep 2 02:49:56 dominion sshd[22406]: Illegal user info from ::ffff:68.12.255.97
Sep 2 02:49:58 dominion sshd[22408]: Illegal user shell from ::ffff:68.12.255.97
Sep 2 02:50:00 dominion sshd[22410]: Illegal user linux from ::ffff:68.12.255.97
Sep 2 02:50:02 dominion sshd[22412]: Illegal user unix from ::ffff:68.12.255.97
Sep 2 02:50:04 dominion sshd[22414]: Illegal user webadmin from ::ffff:68.12.255.97
Sep 2 02:50:08 dominion sshd[22502]: Illegal user test from ::ffff:68.12.255.97
Sep 2 02:50:12 dominion sshd[22506]: Illegal user admin from ::ffff:68.12.255.97
Sep 2 02:50:14 dominion sshd[22508]: Illegal user guest from ::ffff:68.12.255.97
Sep 2 02:50:16 dominion sshd[22510]: Illegal user master from ::ffff:68.12.255.97
Sep 2 02:50:18 dominion sshd[22512]: Illegal user apache from ::ffff:68.12.255.97
Sep 2 02:50:24 dominion sshd[22602]: Illegal user network from ::ffff:68.12.255.97
Sep 2 02:50:26 dominion sshd[22604]: Illegal user word from ::ffff:68.12.255.97
Sep 2 02:50:59 dominion sshd[22806]: Illegal user admin from ::ffff:68.12.255.97
Sep 2 02:51:01 dominion sshd[22808]: Illegal user admin from ::ffff:68.12.255.97

That IP reverse-resolves to “97.255.12.68.in-addr.arpa domain name pointer ip68-12-255-97.ok.ok.cox.net.”, which appears to be somewhere in Oklahoma, although the actual contact for Cox is in Atlanta:

Cox Communications Inc. COX-ATLANTA (NET-68-0-0-0-1)
                      68.0.0.0 - 68.15.255.255
Cox Communications Inc. OKRDC-68-12-0-0 (NET-68-12-0-0-1)
                      68.12.0.0 - 68.12.255.255

Given the frequency and pattern of the attack, it appears to be automated.  Unfortunately, any little pissant PFY can run this sort of thing, since the attack tools are pretty much automated (hence the term “script kiddie”).  Fortunately, none of the accounts in the attack tool’s dictionary are on my system (and even if they were, they’d have non-default passwords).  Still, I’ve often wished for an ICMP HACF packet that could be sent back to an attacker’s sytem.

Comments are closed.