Possible break-in attempt?

Alexandru Cucu cracknel.org la gmail.com
Vin Ian 8 12:05:21 GMT 2010


Cele cu "invalid user" sunt parte a unui atac de tip bruteforce pe SSH.
Sfatul meu: schimba portul serverului SSH.

2010/1/8 florin <florin la xcellcomputers.ro>:
> In fisierul log.auth din /var/log am citit urmatoarele:
>
> Dec 30 19:09:01 telacad CRON[26205]: pam_unix(cron:session): session
> opened for user root by (uid=0)
> Dec 30 19:09:01 telacad dbus-daemon: Rejected send message, 1 matched
> rules; type="method_call", sender=":1.31" (uid=1000 pid=3643
> comm="/usr/lib/indicator-$
> Dec 30 19:09:01 telacad CRON[26205]: pam_unix(cron:session): session
> closed for user root
>
> pam_unix(cron:session): session opened for user root by (uid=0)
> Dec 30 19:30:03 telacad dbus-daemon: Rejected send message, 1 matched
> rules; type="method_call", sender=":1.31" (uid=1000 pid=3643
> comm="/usr/lib/indicator-$
> Dec 30 19:30:05 telacad CRON[27043]: pam_unix(cron:session): session
> closed for user root
> Dec 30 19:33:40 telacad sshd[27344]: Did not receive identification
> string from 188.121.134.50
>
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=94.52.203.47  user=root
> Jan  1 21:43:35 telacad sshd[21374]: Failed password for root from
> 94.52.203.47 port 32785 ssh2
> Jan  1 21:43:40 telacad sshd[21376]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.52.203.47  user=root
> Jan  1 21:43:42 telacad sshd[21376]: Failed password for root from
> 94.52.203.47 port 33170 ssh2
>
> Jan  3 18:25:50 telacad sshd[23891]: Invalid user luxmundi from
> 74.223.159.121
> Jan  3 18:25:50 telacad sshd[23891]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan  3 18:25:50 telacad sshd[23891]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=74.223.159.121.nw.nuvox.net
> Jan  3 18:25:50 telacad sshd[23886]: Failed password for invalid user
> utilidades from 74.223.159.121 port 38618 ssh2
> Jan  3 18:25:51 telacad sshd[23885]: Failed password for invalid user
> sol from 74.223.159.121 port 38612 ssh2
> Jan  3 18:25:51 telacad sshd[23889]: Failed password for invalid user
> Aarni from 74.223.159.121 port 38713 ssh2
> Jan  3 18:25:51 telacad sshd[23891]: Failed password for invalid user
> luxmundi from 74.223.159.121 port 38794 ssh2
> Jan  3 18:25:53 telacad sshd[23894]: Invalid user perla from 74.223.159.121
> Jan  3 18:25:53 telacad sshd[23893]: Invalid user Aarno from 74.223.159.121
>
>
> Jan  8 11:56:56 telacad sshd[4156]: reverse mapping checking getaddrinfo
> for 20.117.127.124.broad.bj.bj.static.163data.com.cn [124.127.117.20]
> failed - POSSIBLE BREAK-IN ATTEMPT!
> Jan  8 11:56:56 telacad sshd[4156]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.127.117.20
> user=root
> Jan  8 11:56:57 telacad sshd[4156]: Failed password for root from
> 124.127.117.20 port 57299 ssh2
> Jan  8 11:57:00 telacad sshd[4159]: reverse mapping checking getaddrinfo
> for 20.117.127.124.broad.bj.bj.static.163data.com.cn [124.127.117.20]
> failed - POSSIBLE BREAK-IN ATTEMPT!
> Jan  8 11:57:00 telacad sshd[4159]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.127.117.20
> user=root
>
>
> As vrea sa stiu daca am fost atacat sau ce inseamna aceste mesaje, mai
> ales cel cu POSSIBLE BREAK-IN ATTEMP! ?
> Mentionez ca numele calculatorului meu "telacad" nu are nimic in comun
> cu scoala "telacad".
> Mesaje gen primele de mai sus am cred ca zeci de useri si ip-uri.
> Ma poate ajuta cineva cu ceva informatii?
> Va multumesc oricum, sunteti o echipa super cool!
> Multa bafta in continuare.
>
> --
> ubuntu-ro mailing list
> ubuntu-ro la lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ro
>



Mai multe informații despre lista de discuții ubuntu-ro