Title: Log Roll
Date: July 11, 2016
Tags: security
========================================
Fun thing found in my ssh log today.
Anyone who runs a public facing server knows there is a constant barrage of
login attempts to SSH. You'll see some of the well known accounts like vagrant,
ubnt, root, or admin. Same old boring hammering.
Today was something interesting:
sshd: input_userauth_request: invalid user XHTML [preauth]
sshd: input_userauth_request: invalid user <html [preauth]
sshd: input_userauth_request: invalid user body{margin [preauth]
sshd: input_userauth_request: invalid user <meta [preauth]
sshd: input_userauth_request: invalid user content="text/html; [preauth]
sshd: input_userauth_request: invalid user Forbidden [preauth]
sshd: input_userauth_request: invalid user fieldset{padding [preauth]
sshd: input_userauth_request: invalid user <!DOCTYPE [preauth]
sshd: input_userauth_request: invalid user Strict//EN" [preauth]
sshd: input_userauth_request: invalid user Helvetica, [preauth]
sshd: input_userauth_request: invalid user PUBLIC [preauth]
sshd: input_userauth_request: invalid user 10px [preauth]
sshd: input_userauth_request: invalid user 0;color [preauth]
sshd: input_userauth_request: invalid user 0 [preauth]
sshd: input_userauth_request: invalid user <title>403 [preauth]
sshd: input_userauth_request: invalid user \^M [preauth]
sshd: input_userauth_request: invalid user Verdana, [preauth]
sshd: input_userauth_request: invalid user 2%;font-family [preauth]
sshd: input_userauth_request: invalid user Error</h1></div>\^M [preauth]
sshd: input_userauth_request: invalid user 2% [preauth]
sshd: input_userauth_request: invalid user #header{width [preauth]
sshd: input_userauth_request: invalid user #content{margin [preauth]
sshd: input_userauth_request: invalid user <div [preauth]
sshd: input_userauth_request: invalid user denied.</h2>\^M [preauth]
Looks like someone tried to pull a list of usernames from a website, got a 403
error, didn't check for it, then split up the HTML to use as usernames. The
connection attempts came from several different IPs so they sent this "list" to
a network of zombies.