My server crashed after "Failed password for invalid user john from ::ffff:XX.XX"
Hi.
Using Fedora Core 2, my server crashed suddenly on Saturday. I noticed that all services were stopped (I cann't access it via SSH), and I had to phone my datacener to restart it manually. This is my '/var/log/secure' at the moment of the failure: ----------------- Oct 8 00:40:52 www sshd[12447]: error: Could not get shadow information for NOUSER Oct 8 00:40:52 www sshd[12447]: Failed password for invalid user john from ::ffff:XX.XX.XX.XX port 36201 ssh2 Oct 8 00:40:52 www sshd[12449]: Failed password for root from ::ffff:XX.XX.XX.XX port 36204 ssh2 Oct 8 00:40:52 www sshd[12451]: Failed password for root from ::ffff:XX.XX.XX.XX port 36217 ssh2 Oct 8 00:40:52 www sshd[12453]: Failed password for root from ::ffff:XX.XX.XX.XX port 36224 ssh2 Oct 8 00:40:52 www sshd[12455]: Failed password for root from ::ffff:XX.XX.XX.XX port 36239 ssh2 Oct 8 00:40:53 www sshd[12457]: Failed password for root from ::ffff:XX.XX.XX.XX port 36243 ssh2 Oct 8 00:40:53 www sshd[12459]: Failed password for root from ::ffff:XX.XX.XX.XX port 36262 ssh2 Oct 8 00:40:53 www sshd[12461]: Invalid user test from ::ffff:XX.XX.XX.XX Oct 8 00:40:53 www sshd[12461]: error: Could not get shadow information for NOUSER Oct 8 00:40:53 www sshd[12461]: Failed password for invalid user test from ::ffff:XX.XX.XX.XX port 36268 ssh2 Oct 8 00:40:53 www sshd[12463]: Failed password for root from ::ffff:XX.XX.XX.XX port 36281 ssh2 Oct 8 00:40:54 www sshd[12465]: Failed password for root from ::ffff:XX.XX.XX.XX port 36299 ssh2 Oct 8 00:40:54 www sshd[12467]: Invalid user test from ::ffff:XX.XX.XX.XX Oct 8 00:40:54 www sshd[12467]: error: Could not get shadow information for NOUSER Oct 8 00:40:54 www sshd[12467]: Failed password for invalid user test from ::ffff:XX.XX.XX.XX port 36319 ssh2 (NO INFORMATION HERE) Oct 8 09:37:25 www sshd[1897]: Server listening on :: port 22. Oct 8 09:37:25 www sshd[1897]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. Oct 8 09:37:48 www webmin[2314]: Webmin starting Oct 8 09:41:15 www xinetd[2328]: START: pop3 pid=2707 from=YY.YY.YY.YY Oct 8 09:41:21 www xinetd[2328]: EXIT: pop3 pid=2707 duration=6(sec) Oct 8 09:46:16 www xinetd[2328]: START: pop3 pid=2807 from=YY.YY.YY.YY Oct 8 09:46:21 www xinetd[2328]: EXIT: pop3 pid=2807 duration=5(sec) Oct 8 09:51:16 www xinetd[2328]: START: pop3 pid=2853 from=YY.YY.YY.YY Oct 8 09:51:17 www xinetd[2328]: EXIT: pop3 pid=2853 duration=1(sec) ---------------- Between the first and the second part of the logs, there are nearly 9 hours of non-information, and the first one is within '/var/log/secure' and the second one within '/var/log/secure.1' (logrotate?). 'XX.XX.XX.XX' is an IP address trying to access my server and 'YY.YY.YY.YY' is my home IP address. From my '/var/log/messages' (no split) --------- Oct 8 06:50:01 www crond(pam_unix)[11219]: session opened for user mailman by (uid=0) Oct 8 06:50:01 www crond(pam_unix)[11219]: session closed for user mailman Oct 8 06:55:01 www crond(pam_unix)[11236]: session opened for user mailman by (uid=0) Oct 8 06:55:01 www crond(pam_unix)[11236]: session closed for user mailman Oct 9 09:37:23 www syslogd 1.4.1: restart. Oct 9 09:37:23 www syslog: syslogd startup succeeded Oct 9 09:37:23 www kernel: klogd 1.4.1, log source = /proc/kmsg started. Oct 9 09:37:23 www kernel: Linux version 2.6.9-1.667 (bhcompile@tweety.build.redhat.com) (gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)) #1 Tue Nov 2 14:41:25 EST 2004 Oct 9 09:37:23 www kernel: BIOS-provided physical RAM map: Oct 9 09:37:23 www kernel: BIOS-e820: 0000000000000000 - 00000000000a0000 (usable) Oct 9 09:37:23 www kernel: BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved) Oct 9 09:37:23 www kernel: BIOS-e820: 0000000000100000 - 000000001f7f0000 (usable) Oct 9 09:37:23 www kernel: BIOS-e820: 000000001f7f0000 - 000000001f7f3000 (ACPI NVS) Oct 9 09:37:23 www kernel: BIOS-e820: 000000001f7f3000 - 000000001f800000 (ACPI data) Oct 9 09:37:23 www kernel: BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved) ---------------- In my 'last': ------------ root pts/0 YY.YY.YY.YY Mon Oct 8 09:52 - 13:52 (04:00) reboot system boot 2.6.9-1.667 Sun Oct 8 09:37 (2+03:14) root pts/0 YY.YY.YY.YY Fri Oct 7 16:13 - 18:03 (01:50) -------------- I don't have any clue about what happened on Saturday. Any suggestion is appreciated. |
I'm no expert but missing log entries, multiple attempts at logins potentially points to a succesful hack.
Does the IP address point to anywhere interesting? This mailman login, is it an account you recognise? |
All times are GMT -5. The time now is 07:14 PM. |