Title: Log Roll
Date: July 11, 2016
Tags: security
========================================

Fun thing found in my ssh log today.

Anyone who runs a public facing server knows there is a constant barrage of
login attempts to SSH.  You'll see some of the well known accounts like vagrant,
ubnt, root, or admin.  Same old boring hammering.

Today was something interesting:


sshd: input_userauth_request: invalid user XHTML [preauth]
sshd: input_userauth_request: invalid user <html [preauth]
sshd: input_userauth_request: invalid user body{margin [preauth]
sshd: input_userauth_request: invalid user <meta [preauth]
sshd: input_userauth_request: invalid user content="text/html; [preauth]
sshd: input_userauth_request: invalid user Forbidden [preauth]
sshd: input_userauth_request: invalid user fieldset{padding [preauth]
sshd: input_userauth_request: invalid user <!DOCTYPE [preauth]
sshd: input_userauth_request: invalid user Strict//EN" [preauth]
sshd: input_userauth_request: invalid user Helvetica, [preauth]
sshd: input_userauth_request: invalid user PUBLIC [preauth]
sshd: input_userauth_request: invalid user 10px [preauth]
sshd: input_userauth_request: invalid user 0;color [preauth]
sshd: input_userauth_request: invalid user 0 [preauth]
sshd: input_userauth_request: invalid user <title>403 [preauth]
sshd: input_userauth_request: invalid user \^M [preauth]
sshd: input_userauth_request: invalid user Verdana, [preauth]
sshd: input_userauth_request: invalid user 2%;font-family [preauth]
sshd: input_userauth_request: invalid user Error</h1></div>\^M [preauth]
sshd: input_userauth_request: invalid user 2% [preauth]
sshd: input_userauth_request: invalid user #header{width [preauth]
sshd: input_userauth_request: invalid user #content{margin [preauth]
sshd: input_userauth_request: invalid user <div [preauth]
sshd: input_userauth_request: invalid user denied.</h2>\^M [preauth]


Looks like someone tried to pull a list of usernames from a website, got a 403
error, didn't check for it, then split up the HTML to use as usernames.  The
connection attempts came from several different IPs so they sent this "list" to
a network of zombies.

Check for errors, folks.

You are viewing proxied material from kagu-tsuchi.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.