Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Oct 18 15:55:15 pastpower sshd[983]: Did not receive identification string from 211.40.89.159
Oct 18 16:19:28 pastpower sshd[986]: Illegal user patrick from 211.40.89.159
Oct 18 16:19:31 pastpower sshd[988]: Illegal user patrick from 211.40.89.159
Oct 18 16:19:46 pastpower sshd[1000]: Illegal user rolo from 211.40.89.159
Oct 18 16:19:49 pastpower sshd[1002]: Illegal user iceuser from 211.40.89.159
Oct 18 16:19:51 pastpower sshd[1004]: Illegal user horde from 211.40.89.159
Oct 18 16:19:54 pastpower sshd[1006]: Illegal user cyrus from 211.40.89.159
Oct 18 16:19:57 pastpower sshd[1008]: Illegal user www from 211.40.89.159
Oct 18 16:19:59 pastpower sshd[1010]: Illegal user wwwrun from 211.40.89.159
Oct 18 16:20:02 pastpower sshd[1012]: Illegal user matt from 211.40.89.159
Oct 18 16:20:04 pastpower sshd[1014]: Illegal user test from 211.40.89.159
Oct 18 16:20:07 pastpower sshd[1016]: Illegal user test from 211.40.89.159
Oct 18 16:20:10 pastpower sshd[1018]: Illegal user test from 211.40.89.159
Oct 18 16:20:12 pastpower sshd[1020]: Illegal user test from 211.40.89.159
Oct 18 16:20:15 pastpower sshd[1022]: Illegal user www-data from 211.40.89.159
Oct 18 16:20:20 pastpower sshd[1026]: Illegal user operator from 211.40.89.159
Oct 18 16:20:23 pastpower sshd[1028]: Illegal user adm from 211.40.89.159
Oct 18 16:20:25 pastpower sshd[1030]: Illegal user apache from 211.40.89.159
Oct 18 16:20:28 pastpower sshd[1032]: Illegal user irc from 211.40.89.159
Oct 18 16:20:30 pastpower sshd[1034]: Illegal user irc from 211.40.89.159
Oct 18 16:20:33 pastpower sshd[1036]: Illegal user adm from 211.40.89.159
Oct 18 16:20:43 pastpower sshd[1044]: Illegal user jane from 211.40.89.159
Oct 18 16:20:46 pastpower sshd[1046]: Illegal user pamela from 211.40.89.159
Oct 18 16:21:01 pastpower sshd[1058]: Illegal user cosmin from 211.40.89.159
Oct 18 16:22:49 pastpower sshd[1132]: Illegal user cip52 from 211.40.89.159
Oct 18 16:22:53 pastpower sshd[1134]: Illegal user cip51 from 211.40.89.159
Oct 18 16:23:01 pastpower sshd[1138]: Illegal user noc from 211.40.89.159
Oct 18 16:23:20 pastpower sshd[1148]: Illegal user webmaster from 211.40.89.159
Oct 18 16:23:23 pastpower sshd[1150]: Illegal user data from 211.40.89.159
Oct 18 16:23:25 pastpower sshd[1152]: Illegal user user from 211.40.89.159
Oct 18 16:23:31 pastpower sshd[1154]: Illegal user user from 211.40.89.159
Oct 18 16:23:34 pastpower sshd[1156]: Illegal user user from 211.40.89.159
Oct 18 16:23:37 pastpower sshd[1158]: Illegal user web from 211.40.89.159
Oct 18 16:23:40 pastpower sshd[1160]: Illegal user web from 211.40.89.159
Oct 18 16:23:43 pastpower sshd[1162]: Illegal user oracle from 211.40.89.159
Oct 18 16:23:45 pastpower sshd[1164]: Illegal user sybase from 211.40.89.159
Oct 18 16:23:51 pastpower sshd[1166]: Illegal user master from 211.40.89.159
Oct 18 16:23:58 pastpower sshd[1168]: Illegal user account from 211.40.89.159
Oct 18 16:24:00 pastpower sshd[1170]: Illegal user backup from 211.40.89.159
Oct 18 16:24:04 pastpower sshd[1172]: Illegal user server from 211.40.89.159
Oct 18 16:24:07 pastpower sshd[1174]: Illegal user adam from 211.40.89.159
Oct 18 16:24:10 pastpower sshd[1176]: Illegal user alan from 211.40.89.159
Oct 18 16:24:13 pastpower sshd[1178]: Illegal user frank from 211.40.89.159
Oct 18 16:24:15 pastpower sshd[1180]: Illegal user george from 211.40.89.159
Oct 18 16:24:19 pastpower sshd[1182]: Illegal user henry from 211.40.89.159
Oct 18 16:24:22 pastpower sshd[1184]: Illegal user john from 211.40.89.159
Oct 18 16:24:42 pastpower sshd[1196]: Illegal user test from 211.40.89.159
Oct 18 17:46:49 pastpower sshd[1220]: Illegal user test from 62.81.199.204
Oct 18 17:46:50 pastpower sshd[1222]: Illegal user guest from 62.81.199.204
Oct 18 17:46:52 pastpower sshd[1224]: Illegal user admin from 62.81.199.204
Oct 18 17:46:54 pastpower sshd[1226]: Illegal user admin from 62.81.199.204
Oct 18 17:46:55 pastpower sshd[1228]: Illegal user user from 62.81.199.204
Oct 18 17:47:02 pastpower sshd[1236]: Illegal user test from 62.81.199.204
Oct 19 09:04:30 pastpower sshd[1632]: Accepted publickey for heri0n from 216.58.40.32 port 1250 ssh2
Oct 19 09:05:48 pastpower su[1649]: + pts/0 heri0n-root
Oct 19 09:11:34 pastpower su[1670]: + pts/0 heri0n-root
Oct 19 09:29:20 pastpower sshd[1681]: Illegal user test from 218.38.136.47
Oct 19 09:29:22 pastpower sshd[1683]: Illegal user guest from 218.38.136.47
Oct 19 09:29:25 pastpower sshd[1685]: Illegal user admin from 218.38.136.47
Oct 19 09:29:27 pastpower sshd[1687]: Illegal user admin from 218.38.136.47
Oct 19 09:29:29 pastpower sshd[1689]: Illegal user user from 218.38.136.47
Oct 19 09:29:38 pastpower sshd[1697]: Illegal user test from 218.38.136.47
Oct 19 21:04:56 pastpower sshd[2156]: Accepted publickey for heri0n from 192.168.1.1 port 3288 ssh2
Oct 19 21:04:56 pastpower sshd[2158]: subsystem request for sftp
Oct 20 10:42:35 pastpower sshd[2491]: Did not receive identification string from 62.77.246.220
Oct 20 11:20:59 pastpower sshd[2514]: Illegal user test from 212.78.150.64
Oct 20 11:21:01 pastpower sshd[2516]: Illegal user guest from 212.78.150.64
Oct 20 11:21:02 pastpower sshd[2518]: Illegal user admin from 212.78.150.64
Oct 20 11:21:04 pastpower sshd[2520]: Illegal user admin from 212.78.150.64
Oct 20 11:21:05 pastpower sshd[2522]: Illegal user user from 212.78.150.64
Oct 20 11:21:11 pastpower sshd[2530]: Illegal user test from 212.78.150.64
Oct 21 09:05:54 pastpower sshd[3058]: Accepted publickey for heri0n from 216.58.40.32 port 1153 ssh2
Oct 21 14:32:35 pastpower su[3385]: + pts/0 heri0n-root
Oct 21 17:01:01 pastpower sshd[11543]: Accepted publickey for heri0n from 216.58.40.32 port 1047 ssh2
Oct 21 17:46:16 pastpower sshd[11575]: Accepted publickey for heri0n from 192.168.1.1 port 1090 ssh2
Oct 21 17:46:16 pastpower sshd[11577]: subsystem request for sftp
Oct 21 17:46:45 pastpower sshd[11579]: Accepted publickey for heri0n from 192.168.1.1 port 1094 ssh2
Oct 21 17:46:45 pastpower sshd[11581]: subsystem request for sftp
Oct 22 10:55:01 pastpower sshd[12021]: Accepted publickey for heri0n from 216.58.40.32 port 1278 ssh2
Oct 22 15:28:14 pastpower sshd[12225]: Illegal user oracle9 from 211.251.71.2
Oct 22 15:28:21 pastpower sshd[12227]: Illegal user informix from 211.251.71.2
Oct 22 15:28:38 pastpower sshd[12229]: Illegal user oracle from 211.251.71.2
Oct 22 15:28:39 pastpower sshd[12231]: Illegal user oracle from 211.251.71.2
Oct 22 15:28:40 pastpower sshd[12233]: Illegal user oracle from 211.251.71.2
Oct 22 15:28:41 pastpower sshd[12235]: Illegal user guest from 211.251.71.2
Oct 22 15:28:41 pastpower sshd[12236]: Illegal user oracle from 211.251.71.2
Oct 22 15:28:42 pastpower sshd[12239]: Illegal user gateway from 211.251.71.2
Oct 22 15:37:04 pastpower sshd[12255]: Illegal user webadmin from 211.251.71.2
Oct 22 15:45:20 pastpower sshd[12261]: Illegal user webadmin from 211.251.71.2
Oct 22 15:51:37 pastpower sshd[12291]: Illegal user postgres from 211.251.71.2
Oct 22 15:51:43 pastpower sshd[12295]: Illegal user webadmin from 211.251.71.2
Oct 22 15:58:36 pastpower sshd[12300]: Illegal user oracle from 211.251.71.2
Oct 22 15:58:39 pastpower sshd[12302]: Illegal user postgres from 211.251.71.2
Oct 22 15:58:44 pastpower sshd[12306]: Illegal user webadmin from 211.251.71.2
Oct 23 23:04:17 pastpower sshd[13724]: Did not receive identification string from 161.53.202.3
Oct 23 23:33:05 pastpower sshd[13737]: Illegal user patrick from 161.53.202.3
Oct 24 01:54:53 pastpower sshd[13874]: Accepted publickey for heri0n from 192.168.1.1 port 2332 ssh2
Oct 24 01:54:53 pastpower sshd[13876]: subsystem request for sftp
What I am wondering is why sshd is accepting connections on weird ports?
The IPs are valid, one is from work, and the other is router. Is it normal to have your router's IP when you connect from home? Have I been compromised? SSH's connection port was not changed from the default of 22.... And I don't see how could my private key could have been stolen.
i'm pretty new to linux, and the security thing in general, but after reading your post i checked out my /var/log/secure.* files, and guess what? i have exactly the same prob. everything mirrors your /var/log/secure.1 file except for the source ip address. it appears that they havent gotten in, i think???????????
i ran the following command as root
whois -h whois.apnic.net ip_address
where ip_address was the ip address of the hacker. turns out it's a Network centre in Japan. looks like some script kiddie is trying his/her luck. i sent an email to the hostmaster of the Network centre. i await a reply. if anyone can shed light on what else, if anything can be done, i'd be greatly appreciative.
regards
GT
i'm pretty new to linux, and the security thing in general, but after reading your post i checked out my /var/log/secure.* files, and guess what? i have exactly the same prob. everything mirrors your /var/log/secure.1 file except for the source ip address. it appears that they havent gotten in, i think???????????
i ran the following command as root
whois -h whois.apnic.net ip_address
where ip_address was the ip address of the hacker. turns out it's a Network centre in Japan. looks like some script kiddie is trying his/her luck. i sent an email to the hostmaster of the Network centre. i await a reply. if anyone can shed light on what else, if anything can be done, i'd be greatly appreciative.
regards
GT
thanks for the link. i just downloaded an ran the rootkit hunter. it tells me i have 4 vulnerable programs, and a warning about ssh v1.
This is the relevant output.
Application version scan
- GnuPG 1.2.1 [ Vulnerable ]
- Apache 2.0.40 [ Vulnerable ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Vulnerable ]
- PHP [unknown] [ OK ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.5p1 [ Vulnerable ]Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
As it appears to be ssh they're targetting, how do i turn off SSH v1? all and any info greatly appreciated.
thanks for the info. since my last post i've been doing a bit of and changed the very attributes you mentioned. only thing was i read i should change the ssh_config file, not the sshd_config file. so i changed the ssh_config file and ran the rootkit hunter again. as it still told me i had probs, i changed the sshd_config file too. ran the rootkit hunter again and everything is hunky dory (?!?!?!?!?!?!?!?)
just before we close this thread, first let me thank you, but what is the diffrence in operation of the ssh_config & sshd_config file. just for future refrence. if you don't know, no worries. i'll work it out sooner or later with my relationship with the smiley penguin.
ssh_config is for the ssh client application (software you use to connect to other systems). sshd_config is for the ssh server (ssh daemon), which allows other systems to connect to you. It is rather confusing having them both in the same directory and similar names.
that explains why i had to uncoment the
PermitRootLogin no
line from my ssh_config file when i tried to ssh out. Also as i only really use the httpd, mysqld & sshd on my own ethernet, i configured them not to be started up at boot. Basically i'm only using these products to learn , apache, mysql, php etc as they're not taught at Uni, not until post grad anyway, same with Linux, post grad only!!! anyway turning these off while on line should secure the system a little more. Thanks for your knowledge.
Sorted
Lee
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503
Rep:
if your getting alot of hacking attempts from a network in japan, it probally woudnt hurt to throw in an iptables rule to drop packets from that network.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
By the way, the reason you have to change the protocol to 2 in both sshd_config and ssh_config is to prevent MitM attacks (Man-in-the-Middle). There are a couple of exploit tools that can spoof SSHv1 handshakes between the client and the server to force both of them to fall back to SSHv1 if they have it enabled. That can lead the attacker to recover the user's password or hijack their connection to the SSH server. If both client and server only support version 2, this attack is impossible (it will basically turn into a denial of service instead of a full hijacking).
thanks for the info, i'm fairly new to this stuff, but very interesting. Man in the Middle eh,, sneaky bas@#rds. do these attacks happen alot? mind you i have nothing worth all that trouble for on my computer. thanks again.
regards
GT
Originally posted by globeTrotter
mind you i have nothing worth all that trouble for on my computer. thanks again.
Ah, but the use of the computer itself might be worth the trouble. I general, I agree with you. If someone breaks into my system they are likely to be sorely dissapointed at the contents. However I keep a close eye on it because someone could use it to cover their tracks as they try to do unsavory things to other computers. It isn't always the data they are after!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
and changed the very attributes you mentioned. only thing was i read i should change the ssh_config file, not the sshd_config file. so i changed the ssh_config file and ran the rootkit hunter again. as it still told me i had probs, i changed the sshd_config file too. ran the rootkit hunter again and everything is hunky dory (?!?!?!?!?!?!?!?) 
