Re: sequences in the auth.log

From: Allen/Gore/SlackWareWolf (goreBOFH_at_comcast.net)
Date: 08/18/04

  • Next message: Nikolay Pavlov: "Re: sequences in the auth.log" 
    Date: Wed, 18 Aug 2004 00:42:13 -0400
To: freebsd-security@freebsd.org

    Same thing happened to a Linux box at my cousin's house. Apparently it's
    a Worm or something that scans boxes looking for a way in.

    Justin wrote:

    >I'm seeing the same thing in my log. It makes me think it is a virus because
    >test, guest, and admin are not normal unix users.
    >
    >Jul 17 04:14:13 newman sshd[2630]: Illegal user test from 129.194.21.5
    >Jul 17 04:14:14 newman sshd[2632]: Illegal user guest from 129.194.21.5
    >Jul 24 19:29:26 newman sshd[43831]: Illegal user test from 69.0.134.72
    >Jul 24 19:29:26 newman sshd[43838]: Illegal user guest from 69.0.134.72
    >Jul 24 19:29:27 newman sshd[43840]: Illegal user admin from 69.0.134.72
    >Jul 24 19:29:27 newman sshd[43842]: Illegal user admin from 69.0.134.72
    >Jul 24 19:29:27 newman sshd[43844]: Illegal user user from 69.0.134.72
    >Jul 24 19:29:33 newman sshd[43853]: Illegal user test from 69.0.134.72
    >Jul 24 21:17:05 newman sshd[45031]: Illegal user test from 202.6.75.195
    >Jul 24 21:17:07 newman sshd[45033]: Illegal user guest from 202.6.75.195
    >Jul 25 02:04:17 newman sshd[34873]: Illegal user test from 211.202.3.148
    >Jul 25 02:04:19 newman sshd[34875]: Illegal user guest from 211.202.3.148
    >Jul 28 12:09:17 newman sshd[16613]: Illegal user test from 65.61.98.16
    >Jul 28 12:09:18 newman sshd[16615]: Illegal user guest from 65.61.98.16
    >Jul 31 08:18:09 newman sshd[98113]: Illegal user test from 65.194.200.129
    >Jul 31 08:18:10 newman sshd[98116]: Illegal user guest from 65.194.200.129
    >Aug 1 22:47:50 newman sshd[1520]: Illegal user test from 202.114.73.4
    >Aug 1 22:47:53 newman sshd[1522]: Illegal user guest from 202.114.73.4
    >Aug 4 21:09:11 newman sshd[39267]: Illegal user test from 218.38.216.168
    >Aug 4 21:09:13 newman sshd[39269]: Illegal user guest from 218.38.216.168
    >Aug 7 13:53:00 newman sshd[15889]: Illegal user test from 64.246.20.43
    >Aug 7 13:53:00 newman sshd[15891]: Illegal user guest from 64.246.20.43
    >Aug 7 13:53:01 newman sshd[15893]: Illegal user admin from 64.246.20.43
    >Aug 7 14:00:37 newman sshd[15970]: Illegal user test from 64.246.20.43
    >Aug 7 14:00:38 newman sshd[15972]: Illegal user guest from 64.246.20.43
    >Aug 7 14:00:39 newman sshd[15974]: Illegal user admin from 64.246.20.43
    >Aug 7 14:00:40 newman sshd[15976]: Illegal user admin from 64.246.20.43
    >Aug 7 14:00:41 newman sshd[15978]: Illegal user user from 64.246.20.43
    >Aug 7 14:00:44 newman sshd[15986]: Illegal user test from 64.246.20.43
    >Aug 8 06:48:05 newman sshd[51656]: Illegal user test from 64.151.89.172
    >Aug 8 06:48:06 newman sshd[51658]: Illegal user guest from 64.151.89.172
    >Aug 8 06:48:07 newman sshd[51660]: Illegal user admin from 64.151.89.172
    >Aug 8 06:48:08 newman sshd[51662]: Illegal user admin from 64.151.89.172
    >Aug 8 06:48:08 newman sshd[51664]: Illegal user user from 64.151.89.172
    >Aug 8 06:48:12 newman sshd[51672]: Illegal user test from 64.151.89.172
    >Aug 9 09:33:57 newman sshd[9346]: Illegal user test from 211.241.101.137
    >Aug 9 09:33:59 newman sshd[9348]: Illegal user guest from 211.241.101.137
    >Aug 9 09:34:01 newman sshd[9350]: Illegal user admin from 211.241.101.137
    >Aug 9 09:34:03 newman sshd[9352]: Illegal user admin from 211.241.101.137
    >Aug 9 09:34:04 newman sshd[9354]: Illegal user user from 211.241.101.137
    >Aug 9 09:34:13 newman sshd[9362]: Illegal user test from 211.241.101.137
    >Aug 9 15:54:37 newman sshd[11782]: Illegal user test from 80.64.104.66
    >Aug 9 15:54:39 newman sshd[11784]: Illegal user guest from 80.64.104.66
    >Aug 9 15:54:41 newman sshd[11786]: Illegal user admin from 80.64.104.66
    >Aug 9 15:54:43 newman sshd[11788]: Illegal user admin from 80.64.104.66
    >Aug 9 15:54:44 newman sshd[11790]: Illegal user user from 80.64.104.66
    >Aug 9 15:54:51 newman sshd[11798]: Illegal user test from 80.64.104.66
    >Aug 10 12:24:14 newman sshd[1392]: Illegal user test from 200.155.22.22
    >Aug 10 12:32:33 newman sshd[11361]: Illegal user test from 200.155.22.22
    >Aug 10 12:32:35 newman sshd[11364]: Illegal user guest from 200.155.22.22
    >Aug 10 12:32:37 newman sshd[11370]: Illegal user admin from 200.155.22.22
    >Aug 10 12:32:40 newman sshd[11372]: Illegal user admin from 200.155.22.22
    >Aug 10 12:32:42 newman sshd[11375]: Illegal user user from 200.155.22.22
    >Aug 10 12:32:51 newman sshd[11399]: Illegal user test from 200.155.22.22
    >Aug 10 20:22:59 newman sshd[1808]: Illegal user test from 63.251.144.88
    >Aug 16 04:41:53 newman sshd[31175]: Illegal user test from 210.223.178.180
    >Aug 16 04:41:54 newman sshd[31177]: Illegal user guest from 210.223.178.180
    >Aug 16 04:41:56 newman sshd[31179]: Illegal user admin from 210.223.178.180
    >Aug 16 04:41:58 newman sshd[31181]: Illegal user admin from 210.223.178.180
    >Aug 16 04:42:00 newman sshd[31183]: Illegal user user from 210.223.178.180
    >Aug 16 04:42:08 newman sshd[31191]: Illegal user test from 210.223.178.180
    >Aug 17 01:28:42 newman sshd[1507]: Illegal user test from 64.62.182.146
    >Aug 17 01:28:42 newman sshd[1509]: Illegal user guest from 64.62.182.146
    >Aug 17 01:28:43 newman sshd[1511]: Illegal user admin from 64.62.182.146
    >Aug 17 01:28:44 newman sshd[1513]: Illegal user admin from 64.62.182.146
    >Aug 17 01:28:45 newman sshd[1515]: Illegal user user from 64.62.182.146
    >Aug 17 01:28:48 newman sshd[1523]: Illegal user test from 64.62.182.146
    >
    >On Friday 13 August 2004 09:05 am, Sandor Berta wrote:
    >
    >
    >>Hi all,
    >>I found similar sequences in the
    >>/var/auth.log files of freebsd boxes, I supervise.:
    >>Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20
    >>Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20
    >>Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20
    >>Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20
    >>Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20
    >>Aug 13 13:56:25 www sshd[26107]: Failed password for root from
    >>165.21.103.20 port 39678 ssh2
    >>Aug 13 13:56:28 www sshd[26109]: Failed password for root from
    >>165.21.103.20 port 39760 ssh2
    >>Aug 13 13:56:32 www sshd[26111]: Failed password for root from
    >>165.21.103.20 port 39836 ssh2
    >>Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20
    >>Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57
    >>Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57
    >>
    >>What are these?
    >>
    >>bye
    >>Sandor Berta
    >>
    >>_______________________________________________
    >>freebsd-security@freebsd.org mailing list
    >>http://lists.freebsd.org/mailman/listinfo/freebsd-security
    >>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    >>
    >>
    >_______________________________________________
    >freebsd-security@freebsd.org mailing list
    >http://lists.freebsd.org/mailman/listinfo/freebsd-security
    >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    >
    >
    >

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Nikolay Pavlov: "Re: sequences in the auth.log"

    Relevant Pages

    • Re: Hello again!!! (some on and off-topic, mostly, off-topic)
      ... > the new owner and her parents went through the house - talked with our ... and scooped him up (Rebekah was with me and the ... > room exits to the hallway, but can't do it now as there are boxes ... > made a cinnamon-raisin bagel for thomas, ...
      (rec.crafts.textiles.quilting)
    • Re: Hello again!!! (some on and off-topic, mostly, off-topic)
      ... the new owner and her parents went through the house - talked with our ... and scooped him up (Rebekah was with me and the ... room exits to the hallway, but can't do it now as there are boxes ... made a cinnamon-raisin bagel for thomas, ...
      (rec.crafts.textiles.quilting)
    • Re: Hello again!!! (some on and off-topic, mostly, off-topic)
      ... > get the keys to the house, finally got her on the phone and we got inside. ... and scooped him up (Rebekah was with me and the entire way to the ... > stuff from boxes (except for the books that were in our basement...they ... > I did the kitchen, Thomas' room, Rebekah's room, and tried to figure out ...
      (rec.crafts.textiles.quilting)
    • Re: Hello again!!! (some on and off-topic, mostly, off-topic)
      ... the new owner and her parents went through the house - talked with our ... but can't do it now as there are boxes ... Today was the first day of school...Thomas, Rebekah, and I woke up at ... made a cinnamon-raisin bagel for thomas, ...
      (rec.crafts.textiles.quilting)
    • Re: Light at the end of the tunnel
      ... use the garage to stage all her packed boxes so that we can take boxes over ... I had only seen the inside of the house once, on the day she put in the ... Alice in NJ, Royal Cybrarian ... : effective hangover cures. ...
      (rec.crafts.textiles.quilting)