[KLUG Members] Database userid crack attempts?

[Bruce Smith]

I've been getting a bunch of ssh login attempts on various computers on
my network from someone trying the user names "mysql" and "postgres".

Do either of those two packages come (or used to come) with a default
user/password combination?  Or is this just a real stupid cracker?

Also, has anyone ever had any luck reporting crack attempts to ISP's?
(the few times I've tried, I've never heard anything back)

Below are some entries for our KLUG server (although they have been
trying to login to all my Linux boxes that run sshd).  I looked up the
IP at ARIN, and was disappointed (but not surprised) to see it comes
from the Asia-Pacific Rim.

However, after looking up the IP at APNIC, I was mildly surprised and
excited to see it's actually in a country were the ISP employees might
understand an English email:  New Zealand!  If they will actually do
anything about it, is something else yet to be determined ...


Aug 28 13:15:51 klug sshd[25484]: Did not receive identification string from 210.55.105.189
Aug 28 13:16:12 klug sshd[25489]: input_userauth_request: illegal user mysql
Aug 28 13:16:12 klug sshd[25489]: Failed none for illegal user mysql from 210.55.105.189 port 2095 ssh2
Aug 28 13:16:12 klug sshd[25489]: Failed keyboard-interactive for illegal user mysql from 210.55.105.189 port 2095 ssh2
Aug 28 13:16:13 klug sshd[25489]: Failed password for illegal user mysql from 210.55.105.189 port 2095 ssh2
Aug 28 13:16:13 klug sshd[25489]: Connection closed by 210.55.105.189
Aug 28 13:16:15 klug sshd[25490]: Failed password for postgres from 210.55.105.189 port 2156 ssh2
Aug 28 13:16:15 klug sshd[25490]: Connection closed by 210.55.105.189


--------------------------------------------
Bruce Smith                bruce@armintl.com
System Administrator / Network Administrator
Armstrong International, Inc.
Three Rivers, Michigan  49093  USA
http://www.armstrong-intl.com/
--------------------------------------------