Re: sequences in the auth.log

From: Mohacsi Janos (mohacsi_at_niif.hu)
Date: 08/13/04

  • Next message: Jan Muenther: "Re: sequences in the auth.log" 
    Date: Fri, 13 Aug 2004 16:14:29 +0200 (CEST)
To: Sandor Berta <berta@beco.hu>

    Hi Sandor,
             You don't have to worry, unless you have user 'test', 'guest',
    'admin', 'root' with poor password: typically same or very similar to your
    accountname. There seems to be a script around the hackers to scan SSH and
    gain access to poorly configured servers.... Unfortunately they are plenty
    of badly configured servers. May be you should disable root access via SSH
    password (only via keys).

    Regards,

    Janos Mohacsi
    Network Engineer, Research Associate
    NIIF/HUNGARNET, HUNGARY
    Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98

    On Fri, 13 Aug 2004, Sandor Berta wrote:

    > Hi all,
    > I found similar sequences in the
    > /var/auth.log files of freebsd boxes, I supervise.:
    > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20
    > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20
    > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20
    > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20
    > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20
    > Aug 13 13:56:25 www sshd[26107]: Failed password for root from 165.21.103.20
    > port 39678 ssh2
    > Aug 13 13:56:28 www sshd[26109]: Failed password for root from 165.21.103.20
    > port 39760 ssh2
    > Aug 13 13:56:32 www sshd[26111]: Failed password for root from 165.21.103.20
    > port 39836 ssh2
    > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20
    > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57
    > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57
    >
    > What are these?
    >
    > bye
    > Sandor Berta
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    >
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Jan Muenther: "Re: sequences in the auth.log"

    Relevant Pages

    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: Linux hacked
      ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • RE: Linux hacked
      ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ...
      (Security-Basics)
    • RE: Linux hacked
      ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ...
      (Security-Basics)
    • Re: X11Forwarding, ssh -X, and /bin/su
      ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
      (comp.security.ssh)