Title: Log Roll
Date: July 11, 2016
Tags: security
========================================

Fun thing found in my ssh log today.

Anyone who runs a public facing server knows there is a constant barrage of
login attempts to SSH.  You'll see some of the well known accounts like vagrant,
ubnt, root, or admin.  Same old boring hammering.

Today was something interesting:


sshd: input_userauth_request: invalid user XHTML [preauth]
sshd: input_userauth_request: invalid user <html [preauth]
sshd: input_userauth_request: invalid user body{margin [preauth]
sshd: input_userauth_request: invalid user <meta [preauth]
sshd: input_userauth_request: invalid user content="text/html; [preauth]
sshd: input_userauth_request: invalid user Forbidden [preauth]
sshd: input_userauth_request: invalid user fieldset{padding [preauth]
sshd: input_userauth_request: invalid user <!DOCTYPE [preauth]
sshd: input_userauth_request: invalid user Strict//EN" [preauth]
sshd: input_userauth_request: invalid user Helvetica, [preauth]
sshd: input_userauth_request: invalid user PUBLIC [preauth]
sshd: input_userauth_request: invalid user 10px [preauth]
sshd: input_userauth_request: invalid user 0;color [preauth]
sshd: input_userauth_request: invalid user 0 [preauth]
sshd: input_userauth_request: invalid user <title>403 [preauth]
sshd: input_userauth_request: invalid user \^M [preauth]
sshd: input_userauth_request: invalid user Verdana, [preauth]
sshd: input_userauth_request: invalid user 2%;font-family [preauth]
sshd: input_userauth_request: invalid user Error</h1></div>\^M [preauth]
sshd: input_userauth_request: invalid user 2% [preauth]
sshd: input_userauth_request: invalid user #header{width [preauth]
sshd: input_userauth_request: invalid user #content{margin [preauth]
sshd: input_userauth_request: invalid user <div [preauth]
sshd: input_userauth_request: invalid user denied.</h2>\^M [preauth]


Looks like someone tried to pull a list of usernames from a website, got a 403
error, didn't check for it, then split up the HTML to use as usernames.  The
connection attempts came from several different IPs so they sent this "list" to
a network of zombies.

Check for errors, folks.