A reader (Thanks Jim!) mentioned earlier today that his SSHlogs were showing access attempts utilising elements of the reverse DNS name of the IPaddress being accessed. For example using isc.sans.org results in the userids isc, sans and org. This may be cause a number of hosting providers use the domain name itself as the userid for shell access for customers. In light of the breach at dreamhost earlier this week http://blog.dreamhost.com/2012/01/21/security-update/ this may be what is going on.
If you are noticing the same in your logs and you can share some log lines please send some in as I'd be interested in taking a peek.
Mark H
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
If you are noticing the same in your logs and you can share some log lines please send some in as I'd be interested in taking a peek.
Mark H
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.