[TriLUG] Getting, um, probed?
Matt Pusateri
mpusateri at wickedtrails.com
Wed Aug 4 21:48:17 EDT 2004
> Yeah, I saw two attempts on my server, but since I run a very restrictive
> /etc/hosts.allow
> and /hosts.deny combination they didn't get very far.
>
> I wonder if someone's trying out their openssl vulnerability exploiter a
> la "US-CERT
> Technical Cyber Security Alert TA04-078A -- Multiple Vulnerabilities in
> OpenSSL".
>
> Here are my log entries:
>
> Aug 1 11:31:54 hoover sshd[24482]: refused connect from
> ANantes-106-2-2-226.w80-13.abo.wanadoo.fr
> Aug 3 07:47:34 hoover sshd[26591]: refused connect from 209.67.60.46
>
>
> Jeff G.
>
> Brian Henning wrote:
>
>> Hi Y'all,
>> I've been seeing a lot of the following in my logwatch lately:
>>
>> input_userauth_request: illegal user test
>> input_userauth_request: illegal user test
>> Failed password for illegal user test from 210.205.6.157 port 51389 ssh2
>> Failed password for illegal user test from 210.205.6.157 port 51470 ssh2
>> Received disconnect from 210.205.6.157: 11: Bye Bye
>> Received disconnect from 210.205.6.157: 11: Bye Bye
If memory serves me correct, there was a thread on Gentoo-Security about
this within the last week and it's a known rootkit trying from rooted
boxes. It's trys three different accounts (admin,test and one guest I
think). You should be able to search http://marc.theaimsgroup.com to find
it, look for automated ssh attemps. I believe as long as you are running
the most current ssh you are ok. One of the guys got into one of the
rooted boxes and was looking at the logs.
Matt
More information about the TriLUG
mailing list