[nycbug-talk] new bruteforcing. . .

Charles Sprickman spork at bway.net
Mon Oct 22 15:30:45 EDT 2007

On Mon, 22 Oct 2007, George Rosamond wrote:

> I noticed this happening to some of our boxes last night while tailing
> some logs:
> http://isc.sans.org/diary.html?storyid=3529
> Anyone else notice this going on?

I saw more in my logs on the few boxes open to the world, but pf is nuking 
them nicely after a few tries (and we don't allow non-key logins anyhow).

One mystery though with the old scanner bots that I never figured out was 
what is the deal with "fluffy"??

Oct 12 07:57:18 miko sshd[99893]: Invalid user fluffy from
Oct 16 08:01:32 miko sshd[41118]: Invalid user fluffy from

I understand "root", "admin", "staff", etc.  But fluffy??


> It's not really groundbreaking, but the fact that it's in a distributed
> model is somewhat new for ssh and mysql bruteforce zombies.
> Nmaps for OSs are sketchy of course, but seems like mostly Linux  boxes.
> . . which is somewhat groundbreaking.
> George
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
> We meet the first Wednesday of the month
> Be sure to join our Announce list at http://lists.nycbug.org

More information about the talk mailing list