[ubuntu-ar] me aparecio en el crontab esto /var/tmp/.logout/eggdrop/y2kupdate >/dev/null 2>&1
Hernan Cisneros
hernol at gmail.com
Fri Jan 8 20:10:34 GMT 2010
On Fri, Jan 8, 2010 at 5:45 PM, Maxi <maximiliano.duarte en gmail.com> wrote:
> despues deencontrar eso revise los log y encontre esto, y me parece
> estar siendo atacado
>
>
> Jan 8 16:05:30 twserver sshd[13873]: Failed password for invalid user
> eleve from 58.61.149.213 port 37615 ssh2
> Jan 8 16:05:34 twserver sshd[13875]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:05:34 twserver sshd[13875]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213 user=proxy
> Jan 8 16:05:37 twserver sshd[13875]: Failed password for proxy from
> 58.61.149.213 port 38119 ssh2
> Jan 8 16:05:40 twserver sshd[13877]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:05:40 twserver sshd[13877]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213 user=sys
> Jan 8 16:05:42 twserver sshd[13877]: Failed password for sys from
> 58.61.149.213 port 39034 ssh2
> Jan 8 16:05:46 twserver sshd[13880]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:05:46 twserver sshd[13880]: Invalid user zzz from 58.61.149.213
> Jan 8 16:05:46 twserver sshd[13880]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:05:46 twserver sshd[13880]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:05:48 twserver sshd[13880]: Failed password for invalid user
> zzz from 58.61.149.213 port 58583 ssh2
> Jan 8 16:05:52 twserver sshd[13882]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:05:52 twserver sshd[13882]: Invalid user frank from 58.61.149.213
> Jan 8 16:05:52 twserver sshd[13882]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:05:52 twserver sshd[13882]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:05:54 twserver sshd[13882]: Failed password for invalid user
> frank from 58.61.149.213 port 59089 ssh2
> Jan 8 16:05:57 twserver sshd[13884]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:05:57 twserver sshd[13884]: Invalid user dan from 58.61.149.213
> Jan 8 16:05:57 twserver sshd[13884]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:05:57 twserver sshd[13884]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:05:59 twserver sshd[13884]: Failed password for invalid user
> dan from 58.61.149.213 port 59587 ssh2
> Jan 8 16:06:03 twserver sshd[13886]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:03 twserver sshd[13886]: Invalid user james from 58.61.149.213
> Jan 8 16:06:03 twserver sshd[13886]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:03 twserver sshd[13886]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:04 twserver sshd[13886]: Failed password for invalid user
> james from 58.61.149.213 port 60094 ssh2
> Jan 8 16:06:08 twserver sshd[13888]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:08 twserver sshd[13888]: Invalid user snort from 58.61.149.213
> Jan 8 16:06:08 twserver sshd[13888]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:08 twserver sshd[13888]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:10 twserver sshd[13888]: Failed password for invalid user
> snort from 58.61.149.213 port 60597 ssh2
> Jan 8 16:06:13 twserver sshd[13891]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:13 twserver sshd[13891]: Invalid user radiomail from
> 58.61.149.213
> Jan 8 16:06:13 twserver sshd[13891]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:13 twserver sshd[13891]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:15 twserver sshd[13891]: Failed password for invalid user
> radiomail from 58.61.149.213 port 32918 ssh2
> Jan 8 16:06:18 twserver sshd[13893]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:18 twserver sshd[13893]: Invalid user harrypotter from
> 58.61.149.213
> Jan 8 16:06:18 twserver sshd[13893]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:18 twserver sshd[13893]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:20 twserver sshd[13893]: Failed password for invalid user
> harrypotter from 58.61.149.213 port 33591 ssh2
> Jan 8 16:06:24 twserver sshd[13895]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:24 twserver sshd[13895]: Invalid user divine from
> 58.61.149.213
> Jan 8 16:06:24 twserver sshd[13895]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:24 twserver sshd[13895]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:26 twserver sshd[13895]: Failed password for invalid user
> divine from 58.61.149.213 port 34258 ssh2
> Jan 8 16:06:29 twserver sshd[13898]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:29 twserver sshd[13898]: Invalid user popa3d from
> 58.61.149.213
> Jan 8 16:06:29 twserver sshd[13898]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:29 twserver sshd[13898]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:32 twserver sshd[13898]: Failed password for invalid user
> popa3d from 58.61.149.213 port 35313 ssh2
> Jan 8 16:06:35 twserver sshd[13900]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:35 twserver sshd[13900]: Invalid user aptproxy from
> 58.61.149.213
> Jan 8 16:06:35 twserver sshd[13900]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:35 twserver sshd[13900]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:37 twserver sshd[13900]: Failed password for invalid user
> aptproxy from 58.61.149.213 port 36189 ssh2
> Jan 8 16:06:40 twserver sshd[13902]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:40 twserver sshd[13902]: Invalid user desktop from
> 58.61.149.213
> Jan 8 16:06:40 twserver sshd[13902]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:40 twserver sshd[13902]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:43 twserver sshd[13902]: Failed password for invalid user
> desktop from 58.61.149.213 port 36882 ssh2
> Jan 8 16:06:46 twserver sshd[13904]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:46 twserver sshd[13904]: Invalid user workshop from
> 58.61.149.213
> Jan 8 16:06:46 twserver sshd[13904]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:46 twserver sshd[13904]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:49 twserver sshd[13904]: Failed password for invalid user
> workshop from 58.61.149.213 port 37656 ssh2
> Jan 8 16:06:52 twserver sshd[13907]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:52 twserver sshd[13907]: Invalid user mailnull from
> 58.61.149.213
> Jan 8 16:06:52 twserver sshd[13907]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:52 twserver sshd[13907]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:06:55 twserver sshd[13907]: Failed password for invalid user
> mailnull from 58.61.149.213 port 38404 ssh2
> Jan 8 16:06:59 twserver sshd[13909]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:06:59 twserver sshd[13909]: Invalid user nfsnobody from
> 58.61.149.213
> Jan 8 16:06:59 twserver sshd[13909]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:06:59 twserver sshd[13909]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:07:01 twserver sshd[13909]: Failed password for invalid user
> nfsnobody from 58.61.149.213 port 39131 ssh2
> Jan 8 16:07:05 twserver sshd[13911]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:07:05 twserver sshd[13911]: Invalid user rpcuser from
> 58.61.149.213
> Jan 8 16:07:05 twserver sshd[13911]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:07:05 twserver sshd[13911]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:07:07 twserver sshd[13911]: Failed password for invalid user
> rpcuser from 58.61.149.213 port 40095 ssh2
> Jan 8 16:07:11 twserver sshd[13913]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:07:11 twserver sshd[13913]: Invalid user rpc from 58.61.149.213
> Jan 8 16:07:11 twserver sshd[13913]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:07:11 twserver sshd[13913]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:07:12 twserver sshd[13913]: Failed password for invalid user
> rpc from 58.61.149.213 port 40908 ssh2
> Jan 8 16:07:16 twserver sshd[13916]: Address 58.61.149.213 maps to
> mail.d3zone.com, but this does not map back to the address - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan 8 16:07:16 twserver sshd[13916]: Invalid user gopher from
> 58.61.149.213
> Jan 8 16:07:16 twserver sshd[13916]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan 8 16:07:16 twserver sshd[13916]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=58.61.149.213
> Jan 8 16:07:18 twserver sshd[13916]: Failed password for invalid user
> gopher from 58.61.149.213 port 41769 ssh2
> Jan 8 16:19:09 twserver perl[14022]: pam_unix(webmin:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=root
>
>
> en el syslog
> Jan 8 16:25:01 twserver cron[4009]: Error: bad username; while
> reading /etc/cron.d/mistareas
> Jan 8 16:25:01 twserver /usr/sbin/cron[4009]: (root) RELOAD
> (crontabs/root)
> Jan 8 16:28:44 twserver named[3276]: ns_forw:
> query(ntps1-1.cs.tu-berlin.de) NS points to CNAME
> (wncs.tubit.tu-berlin.de:) learnt (CNAME=130.149.4.20:NS=130.149.4.20)
> Jan 8 16:28:44 twserver named[3276]: sysquery:
> query(ns.cs.tu-berlin.de) NS points to CNAME
> (wncs.tubit.tu-berlin.de:) learnt (CNAME=130.149.4.20:NS=130.149.4.20)
> Jan 8 16:28:44 twserver named[3276]: sysquery:
> query(mail.cs.tu-berlin.de) NS points to CNAME
> (wncs.tubit.tu-berlin.de:) learnt (CNAME=130.149.4.20:NS=130.149.4.20)
> Jan 8 16:31:42 twserver named[3276]: ns_forw:
> sendto([2001:500:e::1].53): Network is unreachable
> Jan 8 16:31:43 twserver named[3276]: sysquery:
> sendto([2001:503:a83e::2:30].53): Network is unreachable
> Jan 8 16:31:43 twserver named[3276]: ns_forw:
> sendto([2001:503:a83e::2:30].53): Network is unreachable
> Jan 8 16:31:43 twserver named[3276]: ns_forw:
> sendto([2001:503:231d::2:30].53): Network is unreachable
> Jan 8 16:31:44 twserver named[3276]: ns_forw:
> sendto([2001:500:40::1].53): Network is unreachable
> Jan 8 16:31:44 twserver named[3276]: sysquery:
> sendto([2001:628:453:4905::53].53): Network is unreachable
> Jan 8 16:32:59 twserver named[3276]: unrelated additional info
> 'dns13.llnwd.net' type A from [69.28.143.14].53
> Jan 8 16:32:59 twserver named[3276]: unrelated additional info
> 'dns14.llnwd.net' type A from [69.28.143.14].53
> Jan 8 16:33:03 twserver named[3276]: unrelated additional info
> 'dns13.msecnd.net' type A from [70.37.135.11].53
> Jan 8 16:33:03 twserver named[3276]: unrelated additional info
> 'dns14.msecnd.net' type A from [70.37.135.11].53
> Jan 8 16:33:51 twserver named[3276]: ns_resp:
> sendto([2001:550:1:a::d].53): Network is unreachable
> Jan 8 16:34:17 twserver imapd: LOGOUT, user=turnos,
> ip=[::ffff:192.168.0.189], headers=0, body=0, rcvd=210, sent=868,
> time=929
> Jan 8 16:35:57 twserver imapd: Connection, ip=[::ffff:127.0.0.1]
> Jan 8 16:35:57 twserver imapd: LOGIN, user=croberti,
> ip=[::ffff:127.0.0.1], port=[56721], protocol=IMAP
> Jan 8 16:35:57 twserver imapd: LOGOUT, user=croberti,
> ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=428, sent=2052, time=0
> Jan 8 16:37:08 twserver named[3276]: sysquery:
> sendto([2001:620::5].53): Network is unreachable
> Jan 8 16:39:01 twserver /USR/SBIN/CRON[14974]: (root) CMD ( [ -x
> /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find
> /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 |
> xargs -n 200 -r -0 rm)
> Jan 8 16:39:01 twserver /USR/SBIN/CRON[14973]: (root) CMD ( [ -d
> /var/lib/php4 ] && find /var/lib/php4/ -type f -cmin
> +$(/usr/lib/php4/maxlifetime) -print0 | xargs -r -0 rm)
>
>
> --
> Maximiliano Duarte
> Linux User #495070
> Ubuntu User #28504
>
> --
> Ubuntu-ar lista de correo
> Ubuntu-ar en lists.ubuntu.com
> Modifica tus opciones o desuscribite en:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ar
> Siempre leer, comprender y aplicar nuestra etiqueta:
> https://wiki.ubuntu.com/ArgentinaTeam/EtiquetaML
>
>
Instalate el fail2ban [0] para evitar males peores.
[0] www.fail2ban.org
Hernol.-
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: https://lists.ubuntu.com/archives/ubuntu-ar/attachments/20100108/94cad578/attachment-0001.htm
More information about the Ubuntu-ar
mailing list