LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   My server crashed after "Failed password for invalid user john from ::ffff:XX.XX" (https://www.linuxquestions.org/questions/linux-general-1/my-server-crashed-after-failed-password-for-invalid-user-john-from-ffff-xx-xx-371902/)

guarriman 10-11-2005 09:57 AM
My server crashed after "Failed password for invalid user john from ::ffff:XX.XX"
 
Hi.

Using Fedora Core 2, my server crashed suddenly on Saturday. I noticed that all services
were stopped (I cann't access it via SSH), and I had to phone my datacener to restart it
manually.

This is my '/var/log/secure' at the moment of the failure:
-----------------
Oct 8 00:40:52 www sshd[12447]: error: Could not get shadow information for NOUSER
Oct 8 00:40:52 www sshd[12447]: Failed password for invalid user john from ::ffff:XX.XX.XX.XX port 36201 ssh2
Oct 8 00:40:52 www sshd[12449]: Failed password for root from ::ffff:XX.XX.XX.XX port 36204 ssh2
Oct 8 00:40:52 www sshd[12451]: Failed password for root from ::ffff:XX.XX.XX.XX port 36217 ssh2
Oct 8 00:40:52 www sshd[12453]: Failed password for root from ::ffff:XX.XX.XX.XX port 36224 ssh2
Oct 8 00:40:52 www sshd[12455]: Failed password for root from ::ffff:XX.XX.XX.XX port 36239 ssh2
Oct 8 00:40:53 www sshd[12457]: Failed password for root from ::ffff:XX.XX.XX.XX port 36243 ssh2
Oct 8 00:40:53 www sshd[12459]: Failed password for root from ::ffff:XX.XX.XX.XX port 36262 ssh2
Oct 8 00:40:53 www sshd[12461]: Invalid user test from ::ffff:XX.XX.XX.XX
Oct 8 00:40:53 www sshd[12461]: error: Could not get shadow information for NOUSER
Oct 8 00:40:53 www sshd[12461]: Failed password for invalid user test from ::ffff:XX.XX.XX.XX port 36268 ssh2
Oct 8 00:40:53 www sshd[12463]: Failed password for root from ::ffff:XX.XX.XX.XX port 36281 ssh2
Oct 8 00:40:54 www sshd[12465]: Failed password for root from ::ffff:XX.XX.XX.XX port 36299 ssh2
Oct 8 00:40:54 www sshd[12467]: Invalid user test from ::ffff:XX.XX.XX.XX
Oct 8 00:40:54 www sshd[12467]: error: Could not get shadow information for NOUSER
Oct 8 00:40:54 www sshd[12467]: Failed password for invalid user test from ::ffff:XX.XX.XX.XX port 36319 ssh2
(NO INFORMATION HERE)
Oct 8 09:37:25 www sshd[1897]: Server listening on :: port 22.
Oct 8 09:37:25 www sshd[1897]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Oct 8 09:37:48 www webmin[2314]: Webmin starting
Oct 8 09:41:15 www xinetd[2328]: START: pop3 pid=2707 from=YY.YY.YY.YY
Oct 8 09:41:21 www xinetd[2328]: EXIT: pop3 pid=2707 duration=6(sec)
Oct 8 09:46:16 www xinetd[2328]: START: pop3 pid=2807 from=YY.YY.YY.YY
Oct 8 09:46:21 www xinetd[2328]: EXIT: pop3 pid=2807 duration=5(sec)
Oct 8 09:51:16 www xinetd[2328]: START: pop3 pid=2853 from=YY.YY.YY.YY
Oct 8 09:51:17 www xinetd[2328]: EXIT: pop3 pid=2853 duration=1(sec)
----------------

Between the first and the second part of the logs, there are nearly 9 hours of non-information, and
the first one is within '/var/log/secure' and the second one within '/var/log/secure.1' (logrotate?).

'XX.XX.XX.XX' is an IP address trying to access my server and 'YY.YY.YY.YY' is my home IP address.

From my '/var/log/messages' (no split)
---------
Oct 8 06:50:01 www crond(pam_unix)[11219]: session opened for user mailman by (uid=0)
Oct 8 06:50:01 www crond(pam_unix)[11219]: session closed for user mailman
Oct 8 06:55:01 www crond(pam_unix)[11236]: session opened for user mailman by (uid=0)
Oct 8 06:55:01 www crond(pam_unix)[11236]: session closed for user mailman
Oct 9 09:37:23 www syslogd 1.4.1: restart.
Oct 9 09:37:23 www syslog: syslogd startup succeeded
Oct 9 09:37:23 www kernel: klogd 1.4.1, log source = /proc/kmsg started.
Oct 9 09:37:23 www kernel: Linux version 2.6.9-1.667 (bhcompile@tweety.build.redhat.com) (gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)) #1 Tue Nov 2 14:41:25 EST 2004
Oct 9 09:37:23 www kernel: BIOS-provided physical RAM map:
Oct 9 09:37:23 www kernel: BIOS-e820: 0000000000000000 - 00000000000a0000 (usable)
Oct 9 09:37:23 www kernel: BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
Oct 9 09:37:23 www kernel: BIOS-e820: 0000000000100000 - 000000001f7f0000 (usable)
Oct 9 09:37:23 www kernel: BIOS-e820: 000000001f7f0000 - 000000001f7f3000 (ACPI NVS)
Oct 9 09:37:23 www kernel: BIOS-e820: 000000001f7f3000 - 000000001f800000 (ACPI data)
Oct 9 09:37:23 www kernel: BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved)
----------------

In my 'last':
------------
root pts/0 YY.YY.YY.YY Mon Oct 8 09:52 - 13:52 (04:00)
reboot system boot 2.6.9-1.667 Sun Oct 8 09:37 (2+03:14)
root pts/0 YY.YY.YY.YY Fri Oct 7 16:13 - 18:03 (01:50)
--------------

I don't have any clue about what happened on Saturday. Any suggestion is appreciated.

okmyx 10-11-2005 10:18 AM
I'm no expert but missing log entries, multiple attempts at logins potentially points to a succesful hack.

Does the IP address point to anywhere interesting?
This mailman login, is it an account you recognise?


All times are GMT -5. The time now is 07:14 PM.