[ubuntu-ar] me aparecio en el crontab esto /var/tmp/.logout/eggdrop/y2kupdate >/dev/null 2>&1

Maxi maximiliano.duarte at gmail.com
Fri Jan 8 19:45:56 GMT 2010 

despues deencontrar eso revise los log y encontre esto, y me parece
estar siendo atacado


Jan  8 16:05:30 twserver sshd[13873]: Failed password for invalid user
eleve from 58.61.149.213 port 37615 ssh2
Jan  8 16:05:34 twserver sshd[13875]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:05:34 twserver sshd[13875]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213  user=proxy
Jan  8 16:05:37 twserver sshd[13875]: Failed password for proxy from
58.61.149.213 port 38119 ssh2
Jan  8 16:05:40 twserver sshd[13877]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:05:40 twserver sshd[13877]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213  user=sys
Jan  8 16:05:42 twserver sshd[13877]: Failed password for sys from
58.61.149.213 port 39034 ssh2
Jan  8 16:05:46 twserver sshd[13880]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:05:46 twserver sshd[13880]: Invalid user zzz from 58.61.149.213
Jan  8 16:05:46 twserver sshd[13880]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:05:46 twserver sshd[13880]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:05:48 twserver sshd[13880]: Failed password for invalid user
zzz from 58.61.149.213 port 58583 ssh2
Jan  8 16:05:52 twserver sshd[13882]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:05:52 twserver sshd[13882]: Invalid user frank from 58.61.149.213
Jan  8 16:05:52 twserver sshd[13882]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:05:52 twserver sshd[13882]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:05:54 twserver sshd[13882]: Failed password for invalid user
frank from 58.61.149.213 port 59089 ssh2
Jan  8 16:05:57 twserver sshd[13884]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:05:57 twserver sshd[13884]: Invalid user dan from 58.61.149.213
Jan  8 16:05:57 twserver sshd[13884]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:05:57 twserver sshd[13884]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:05:59 twserver sshd[13884]: Failed password for invalid user
dan from 58.61.149.213 port 59587 ssh2
Jan  8 16:06:03 twserver sshd[13886]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:03 twserver sshd[13886]: Invalid user james from 58.61.149.213
Jan  8 16:06:03 twserver sshd[13886]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:03 twserver sshd[13886]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:04 twserver sshd[13886]: Failed password for invalid user
james from 58.61.149.213 port 60094 ssh2
Jan  8 16:06:08 twserver sshd[13888]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:08 twserver sshd[13888]: Invalid user snort from 58.61.149.213
Jan  8 16:06:08 twserver sshd[13888]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:08 twserver sshd[13888]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:10 twserver sshd[13888]: Failed password for invalid user
snort from 58.61.149.213 port 60597 ssh2
Jan  8 16:06:13 twserver sshd[13891]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:13 twserver sshd[13891]: Invalid user radiomail from 58.61.149.213
Jan  8 16:06:13 twserver sshd[13891]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:13 twserver sshd[13891]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:15 twserver sshd[13891]: Failed password for invalid user
radiomail from 58.61.149.213 port 32918 ssh2
Jan  8 16:06:18 twserver sshd[13893]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:18 twserver sshd[13893]: Invalid user harrypotter from
58.61.149.213
Jan  8 16:06:18 twserver sshd[13893]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:18 twserver sshd[13893]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:20 twserver sshd[13893]: Failed password for invalid user
harrypotter from 58.61.149.213 port 33591 ssh2
Jan  8 16:06:24 twserver sshd[13895]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:24 twserver sshd[13895]: Invalid user divine from 58.61.149.213
Jan  8 16:06:24 twserver sshd[13895]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:24 twserver sshd[13895]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:26 twserver sshd[13895]: Failed password for invalid user
divine from 58.61.149.213 port 34258 ssh2
Jan  8 16:06:29 twserver sshd[13898]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:29 twserver sshd[13898]: Invalid user popa3d from 58.61.149.213
Jan  8 16:06:29 twserver sshd[13898]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:29 twserver sshd[13898]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:32 twserver sshd[13898]: Failed password for invalid user
popa3d from 58.61.149.213 port 35313 ssh2
Jan  8 16:06:35 twserver sshd[13900]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:35 twserver sshd[13900]: Invalid user aptproxy from 58.61.149.213
Jan  8 16:06:35 twserver sshd[13900]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:35 twserver sshd[13900]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:37 twserver sshd[13900]: Failed password for invalid user
aptproxy from 58.61.149.213 port 36189 ssh2
Jan  8 16:06:40 twserver sshd[13902]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:40 twserver sshd[13902]: Invalid user desktop from 58.61.149.213
Jan  8 16:06:40 twserver sshd[13902]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:40 twserver sshd[13902]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:43 twserver sshd[13902]: Failed password for invalid user
desktop from 58.61.149.213 port 36882 ssh2
Jan  8 16:06:46 twserver sshd[13904]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:46 twserver sshd[13904]: Invalid user workshop from 58.61.149.213
Jan  8 16:06:46 twserver sshd[13904]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:46 twserver sshd[13904]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:49 twserver sshd[13904]: Failed password for invalid user
workshop from 58.61.149.213 port 37656 ssh2
Jan  8 16:06:52 twserver sshd[13907]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:52 twserver sshd[13907]: Invalid user mailnull from 58.61.149.213
Jan  8 16:06:52 twserver sshd[13907]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:52 twserver sshd[13907]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:06:55 twserver sshd[13907]: Failed password for invalid user
mailnull from 58.61.149.213 port 38404 ssh2
Jan  8 16:06:59 twserver sshd[13909]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:06:59 twserver sshd[13909]: Invalid user nfsnobody from 58.61.149.213
Jan  8 16:06:59 twserver sshd[13909]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:06:59 twserver sshd[13909]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:07:01 twserver sshd[13909]: Failed password for invalid user
nfsnobody from 58.61.149.213 port 39131 ssh2
Jan  8 16:07:05 twserver sshd[13911]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:07:05 twserver sshd[13911]: Invalid user rpcuser from 58.61.149.213
Jan  8 16:07:05 twserver sshd[13911]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:07:05 twserver sshd[13911]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:07:07 twserver sshd[13911]: Failed password for invalid user
rpcuser from 58.61.149.213 port 40095 ssh2
Jan  8 16:07:11 twserver sshd[13913]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:07:11 twserver sshd[13913]: Invalid user rpc from 58.61.149.213
Jan  8 16:07:11 twserver sshd[13913]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:07:11 twserver sshd[13913]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:07:12 twserver sshd[13913]: Failed password for invalid user
rpc from 58.61.149.213 port 40908 ssh2
Jan  8 16:07:16 twserver sshd[13916]: Address 58.61.149.213 maps to
mail.d3zone.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!
Jan  8 16:07:16 twserver sshd[13916]: Invalid user gopher from 58.61.149.213
Jan  8 16:07:16 twserver sshd[13916]: pam_unix(sshd:auth): check pass;
user unknown
Jan  8 16:07:16 twserver sshd[13916]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.61.149.213
Jan  8 16:07:18 twserver sshd[13916]: Failed password for invalid user
gopher from 58.61.149.213 port 41769 ssh2
Jan  8 16:19:09 twserver perl[14022]: pam_unix(webmin:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=root


en el syslog
Jan  8 16:25:01 twserver cron[4009]: Error: bad username; while
reading /etc/cron.d/mistareas
Jan  8 16:25:01 twserver /usr/sbin/cron[4009]: (root) RELOAD (crontabs/root)
Jan  8 16:28:44 twserver named[3276]: ns_forw:
query(ntps1-1.cs.tu-berlin.de) NS points to CNAME
(wncs.tubit.tu-berlin.de:) learnt (CNAME=130.149.4.20:NS=130.149.4.20)
Jan  8 16:28:44 twserver named[3276]: sysquery:
query(ns.cs.tu-berlin.de) NS points to CNAME
(wncs.tubit.tu-berlin.de:) learnt (CNAME=130.149.4.20:NS=130.149.4.20)
Jan  8 16:28:44 twserver named[3276]: sysquery:
query(mail.cs.tu-berlin.de) NS points to CNAME
(wncs.tubit.tu-berlin.de:) learnt (CNAME=130.149.4.20:NS=130.149.4.20)
Jan  8 16:31:42 twserver named[3276]: ns_forw:
sendto([2001:500:e::1].53): Network is unreachable
Jan  8 16:31:43 twserver named[3276]: sysquery:
sendto([2001:503:a83e::2:30].53): Network is unreachable
Jan  8 16:31:43 twserver named[3276]: ns_forw:
sendto([2001:503:a83e::2:30].53): Network is unreachable
Jan  8 16:31:43 twserver named[3276]: ns_forw:
sendto([2001:503:231d::2:30].53): Network is unreachable
Jan  8 16:31:44 twserver named[3276]: ns_forw:
sendto([2001:500:40::1].53): Network is unreachable
Jan  8 16:31:44 twserver named[3276]: sysquery:
sendto([2001:628:453:4905::53].53): Network is unreachable
Jan  8 16:32:59 twserver named[3276]: unrelated additional info
'dns13.llnwd.net' type A from [69.28.143.14].53
Jan  8 16:32:59 twserver named[3276]: unrelated additional info
'dns14.llnwd.net' type A from [69.28.143.14].53
Jan  8 16:33:03 twserver named[3276]: unrelated additional info
'dns13.msecnd.net' type A from [70.37.135.11].53
Jan  8 16:33:03 twserver named[3276]: unrelated additional info
'dns14.msecnd.net' type A from [70.37.135.11].53
Jan  8 16:33:51 twserver named[3276]: ns_resp:
sendto([2001:550:1:a::d].53): Network is unreachable
Jan  8 16:34:17 twserver imapd: LOGOUT, user=turnos,
ip=[::ffff:192.168.0.189], headers=0, body=0, rcvd=210, sent=868,
time=929
Jan  8 16:35:57 twserver imapd: Connection, ip=[::ffff:127.0.0.1]
Jan  8 16:35:57 twserver imapd: LOGIN, user=croberti,
ip=[::ffff:127.0.0.1], port=[56721], protocol=IMAP
Jan  8 16:35:57 twserver imapd: LOGOUT, user=croberti,
ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=428, sent=2052, time=0
Jan  8 16:37:08 twserver named[3276]: sysquery:
sendto([2001:620::5].53): Network is unreachable
Jan  8 16:39:01 twserver /USR/SBIN/CRON[14974]: (root) CMD (  [ -x
/usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find
/var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 |
xargs -n 200 -r -0 rm)
Jan  8 16:39:01 twserver /USR/SBIN/CRON[14973]: (root) CMD (  [ -d
/var/lib/php4 ] && find /var/lib/php4/ -type f -cmin
+$(/usr/lib/php4/maxlifetime) -print0 | xargs -r -0 rm)


-- 
Maximiliano Duarte
Linux User #495070
Ubuntu User #28504

More information about the Ubuntu-ar mailing list