Title: Log Roll Date: July 11, 2016 Tags: security ======================================== Fun thing found in my ssh log today. Anyone who runs a public facing server knows there is a constant barrage of login attempts to SSH. You'll see some of the well known accounts like vagrant, ubnt, root, or admin. Same old boring hammering. Today was something interesting: sshd: input_userauth_request: invalid user XHTML [preauth] sshd: input_userauth_request: invalid user 403 [preauth] sshd: input_userauth_request: invalid user \^M [preauth] sshd: input_userauth_request: invalid user Verdana, [preauth] sshd: input_userauth_request: invalid user 2%;font-family [preauth] sshd: input_userauth_request: invalid user Error\^M [preauth] sshd: input_userauth_request: invalid user 2% [preauth] sshd: input_userauth_request: invalid user #header{width [preauth] sshd: input_userauth_request: invalid user #content{margin [preauth] sshd: input_userauth_request: invalid user

\^M [preauth] Looks like someone tried to pull a list of usernames from a website, got a 403 error, didn't check for it, then split up the HTML to use as usernames. The connection attempts came from several different IPs so they sent this "list" to a network of zombies. Check for errors, folks.