So I went on a trip out of town for a job interview the other day. I turned SSH on and took my laptop, incase I needed some file from the home computer or something. Taking a look at the logs after I get home, I find these:
Oct 19 17:52:13 myip sshd[13672]: Did not receive identification string from 211.91.16.88
Oct 19 17:56:22 myip sshd[13703]: Illegal user patrick from 211.91.16.88
Oct 19 17:56:24 myip sshd[13705]: Illegal user patrick from 211.91.16.88
Oct 19 17:56:39 myip sshd[13717]: Illegal user rolo from 211.91.16.88
Oct 19 17:56:41 myip sshd[13719]: Illegal user iceuser from 211.91.16.88
Oct 19 17:56:44 myip sshd[13721]: Illegal user horde from 211.91.16.88
Oct 19 17:56:51 myip sshd[13727]: Illegal user wwwrun from 211.91.16.88
Oct 19 17:56:53 myip sshd[13729]: Illegal user matt from 211.91.16.88
(snipped a bunch of other tries with dumb user names)
Oct 20 23:53:32 myip sshd[21528]: Illegal user patrick from 80.55.81.122
Oct 20 23:53:37 myip sshd[21530]: Illegal user patrick from 80.55.81.122
Oct 20 23:53:56 myip sshd[21542]: Illegal user rolo from 80.55.81.122
Oct 20 23:54:01 myip sshd[21544]: Illegal user iceuser from 80.55.81.122
Oct 20 23:54:06 myip sshd[21546]: Illegal user horde from 80.55.81.122
Oct 20 23:54:25 myip sshd[21552]: Illegal user wwwrun from 80.55.81.122
Oct 20 23:54:28 myip sshd[21554]: Illegal user matt from 80.55.81.122
(snipped a bunch more tries with the same dumb user names)
Taking a closer look, I see:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Insufficient responses for TCP sequencing (2), OS detection may be less accurate
Interesting ports on (211.91.16.88):
(The 1585 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
135/tcp filtered loc-srv
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1434/tcp filtered ms-sql-m
1521/tcp open oracle
1720/tcp filtered H.323/Q.931
6000/tcp open X11
27374/tcp filtered subseven
Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4 on Alpha, Linux Kernel 2.4.3 SMP (RedHat)
Nmap run completed -- 1 IP address (1 host up) scanned in 72 seconds
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on sd122.internetdsl.tpnet.pl (80.55.81.122):
(The 1598 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 1.282 days (since Thu Oct 21 13:27:55 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 319 seconds
What really seems strange is the repeated use of the same odd user names. They could at least try root - it still wouldn't work on my computer, but it's at least a user, and they'd be root if they succeeded. Is there some kind of programs that tries these name or something?