LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 10-11-2005, 09:57 AM   #1
guarriman
Member
 
Registered: Nov 2004
Posts: 101

Rep: Reputation: 15
My server crashed after "Failed password for invalid user john from ::ffff:XX.XX"


Hi.

Using Fedora Core 2, my server crashed suddenly on Saturday. I noticed that all services
were stopped (I cann't access it via SSH), and I had to phone my datacener to restart it
manually.

This is my '/var/log/secure' at the moment of the failure:
-----------------
Oct 8 00:40:52 www sshd[12447]: error: Could not get shadow information for NOUSER
Oct 8 00:40:52 www sshd[12447]: Failed password for invalid user john from ::ffff:XX.XX.XX.XX port 36201 ssh2
Oct 8 00:40:52 www sshd[12449]: Failed password for root from ::ffff:XX.XX.XX.XX port 36204 ssh2
Oct 8 00:40:52 www sshd[12451]: Failed password for root from ::ffff:XX.XX.XX.XX port 36217 ssh2
Oct 8 00:40:52 www sshd[12453]: Failed password for root from ::ffff:XX.XX.XX.XX port 36224 ssh2
Oct 8 00:40:52 www sshd[12455]: Failed password for root from ::ffff:XX.XX.XX.XX port 36239 ssh2
Oct 8 00:40:53 www sshd[12457]: Failed password for root from ::ffff:XX.XX.XX.XX port 36243 ssh2
Oct 8 00:40:53 www sshd[12459]: Failed password for root from ::ffff:XX.XX.XX.XX port 36262 ssh2
Oct 8 00:40:53 www sshd[12461]: Invalid user test from ::ffff:XX.XX.XX.XX
Oct 8 00:40:53 www sshd[12461]: error: Could not get shadow information for NOUSER
Oct 8 00:40:53 www sshd[12461]: Failed password for invalid user test from ::ffff:XX.XX.XX.XX port 36268 ssh2
Oct 8 00:40:53 www sshd[12463]: Failed password for root from ::ffff:XX.XX.XX.XX port 36281 ssh2
Oct 8 00:40:54 www sshd[12465]: Failed password for root from ::ffff:XX.XX.XX.XX port 36299 ssh2
Oct 8 00:40:54 www sshd[12467]: Invalid user test from ::ffff:XX.XX.XX.XX
Oct 8 00:40:54 www sshd[12467]: error: Could not get shadow information for NOUSER
Oct 8 00:40:54 www sshd[12467]: Failed password for invalid user test from ::ffff:XX.XX.XX.XX port 36319 ssh2
(NO INFORMATION HERE)
Oct 8 09:37:25 www sshd[1897]: Server listening on :: port 22.
Oct 8 09:37:25 www sshd[1897]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Oct 8 09:37:48 www webmin[2314]: Webmin starting
Oct 8 09:41:15 www xinetd[2328]: START: pop3 pid=2707 from=YY.YY.YY.YY
Oct 8 09:41:21 www xinetd[2328]: EXIT: pop3 pid=2707 duration=6(sec)
Oct 8 09:46:16 www xinetd[2328]: START: pop3 pid=2807 from=YY.YY.YY.YY
Oct 8 09:46:21 www xinetd[2328]: EXIT: pop3 pid=2807 duration=5(sec)
Oct 8 09:51:16 www xinetd[2328]: START: pop3 pid=2853 from=YY.YY.YY.YY
Oct 8 09:51:17 www xinetd[2328]: EXIT: pop3 pid=2853 duration=1(sec)
----------------

Between the first and the second part of the logs, there are nearly 9 hours of non-information, and
the first one is within '/var/log/secure' and the second one within '/var/log/secure.1' (logrotate?).

'XX.XX.XX.XX' is an IP address trying to access my server and 'YY.YY.YY.YY' is my home IP address.

From my '/var/log/messages' (no split)
---------
Oct 8 06:50:01 www crond(pam_unix)[11219]: session opened for user mailman by (uid=0)
Oct 8 06:50:01 www crond(pam_unix)[11219]: session closed for user mailman
Oct 8 06:55:01 www crond(pam_unix)[11236]: session opened for user mailman by (uid=0)
Oct 8 06:55:01 www crond(pam_unix)[11236]: session closed for user mailman
Oct 9 09:37:23 www syslogd 1.4.1: restart.
Oct 9 09:37:23 www syslog: syslogd startup succeeded
Oct 9 09:37:23 www kernel: klogd 1.4.1, log source = /proc/kmsg started.
Oct 9 09:37:23 www kernel: Linux version 2.6.9-1.667 (bhcompile@tweety.build.redhat.com) (gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)) #1 Tue Nov 2 14:41:25 EST 2004
Oct 9 09:37:23 www kernel: BIOS-provided physical RAM map:
Oct 9 09:37:23 www kernel: BIOS-e820: 0000000000000000 - 00000000000a0000 (usable)
Oct 9 09:37:23 www kernel: BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
Oct 9 09:37:23 www kernel: BIOS-e820: 0000000000100000 - 000000001f7f0000 (usable)
Oct 9 09:37:23 www kernel: BIOS-e820: 000000001f7f0000 - 000000001f7f3000 (ACPI NVS)
Oct 9 09:37:23 www kernel: BIOS-e820: 000000001f7f3000 - 000000001f800000 (ACPI data)
Oct 9 09:37:23 www kernel: BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved)
----------------

In my 'last':
------------
root pts/0 YY.YY.YY.YY Mon Oct 8 09:52 - 13:52 (04:00)
reboot system boot 2.6.9-1.667 Sun Oct 8 09:37 (2+03:14)
root pts/0 YY.YY.YY.YY Fri Oct 7 16:13 - 18:03 (01:50)
--------------

I don't have any clue about what happened on Saturday. Any suggestion is appreciated.
 
Old 10-11-2005, 10:18 AM   #2
okmyx
Member
 
Registered: May 2004
Location: Cornwall, UK
Distribution: Ubuntu 8.04
Posts: 464

Rep: Reputation: 31
I'm no expert but missing log entries, multiple attempts at logins potentially points to a succesful hack.

Does the IP address point to anywhere interesting?
This mailman login, is it an account you recognise?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Added a user, now root says "invalid password" gallwapa Linux - Security 20 10-17-2005 04:13 PM
user cannot log in "Authentication Failed" Fedora Core 4 clayharryman Linux - Security 8 08-04-2005 06:23 PM
Cedega from Fat32 (Invalid path "." given for "--use-dos-cwd") bdox Linux - Software 0 03-30-2005 11:24 AM
Cedega and Fat32 (Invalid path "." given for "--use-dos-cwd") bdox Linux - Games 0 03-26-2005 02:48 AM
psql: FATAL 1: IDENT authentication failed for user "postgres" linuxtesting2 Linux - General 3 06-16-2004 12:48 PM


All times are GMT -5. The time now is 06:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration