LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-28-2005, 11:56 AM   #1
sovietpower
Member
 
Registered: Jun 2003
Distribution: Slackware64 14.1 and -current
Posts: 208

Rep: Reputation: 30
ssh login attempts from localhost?!


I was reading through my /var/log/messages once again and here is what I found

May 27 13:53:16 localhost sshd[1255]: Failed none for illegal user help from 127.0.0.1 port 38044 ssh2
May 27 13:53:19 localhost sshd[1322]: Did not receive identification string from 127.0.0.1
May 27 13:53:26 localhost sshd[1467]: Illegal user wank from 127.0.0.1
May 27 13:53:26 localhost sshd[1467]: Failed none for illegal user wank from 127.0.0.1 port 38211 ssh2
May 27 13:53:26 localhost sshd[1467]: Failed password for illegal user wank from 127.0.0.1 port 38211 ssh2
May 27 13:53:33 localhost sshd[1648]: Illegal user hax0r from 127.0.0.1
May 27 13:53:33 localhost sshd[1648]: Failed none for illegal user hax0r from 127.0.0.1 port 38345 ssh2
May 27 13:53:38 localhost sshd[1744]: Illegal user super from 127.0.0.1
May 27 13:53:38 localhost sshd[1744]: Failed none for illegal user super from 127.0.0.1 port 38415 ssh2
May 27 13:53:38 localhost sshd[1744]: Failed password for illegal user super from 127.0.0.1 port 38415 ssh2
May 27 13:53:40 localhost sshd[1793]: Failed password for root from 127.0.0.1 port 38460 ssh2
May 27 13:53:52 localhost sshd[2068]: Illegal user date from 127.0.0.1
May 27 13:53:52 localhost sshd[2068]: Failed none for illegal user date from 127.0.0.1 port 38794 ssh2
May 27 13:53:53 localhost sshd[2085]: Illegal user debug from 127.0.0.1
May 27 13:53:53 localhost sshd[2085]: Failed none for illegal user debug from 127.0.0.1 port 38806 ssh2
May 27 13:53:53 localhost sshd[2085]: Failed password for illegal user debug from 127.0.0.1 port 38806 ssh2
May 27 13:53:57 localhost sshd[2164]: Illegal user jill from 127.0.0.1
May 27 13:53:57 localhost sshd[2164]: Failed none for illegal user jill from 127.0.0.1 port 38871 ssh2
May 27 13:54:00 localhost sshd[2232]: Illegal user gamez from 127.0.0.1
May 27 13:54:00 localhost sshd[2232]: Failed none for illegal user gamez from 127.0.0.1 port 38898 ssh2
May 27 13:54:00 localhost sshd[2232]: Failed password for illegal user gamez from 127.0.0.1 port 38898 ssh2

now I don't know how they are doing this from localhost, I ran chkrootkit before I got these messages I also ran it afterwards nothing came up. I'm kinda stumped on this one, uh help?
 
Old 05-28-2005, 04:55 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I've seen machines spoof 127.0.0.1 before, but I don't believe that would work for a remote ssh login session, so I'd take a look for something local. However, the ssh logins look like they're generated by the brutessh tool and to be honest I don't know why you run it locally. You'd need access in the first place in order to run the script and there are much better tools for local bruteforcing.

Take a look at the process list and see if you see anything abnormal. Also take a look at netstat -pantu and see if you can see anything trying to establish local ssh connections. Obviously take an extensive look at all of the system logs. You might want to have iptables log and drop any packets coming in over an external interface that have 127.0.0.1 as the source (turning on the rp_filter will work too). It might be a good idea to look at the arp table and verify that nothing weird is going on.
 
Old 05-29-2005, 02:19 AM   #3
sovietpower
Member
 
Registered: Jun 2003
Distribution: Slackware64 14.1 and -current
Posts: 208

Original Poster
Rep: Reputation: 30
The only odd thing I can see from top is a sendmail process running under smmsp, I don't think I've ever seen that before. As far as netstat everything looks good
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh...log files that store the login attempts Bgrad Linux - Networking 4 03-29-2010 10:40 AM
SSH login attempts Capt_Caveman Linux - Security 225 11-07-2009 10:55 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 04:22 PM
SSH login attempts - how to get rid of the automated malware? alexberk Linux - Security 1 05-24-2005 05:57 AM
How do I block IP's to prevent unauthorized SSH login attempts? leofoxx Linux - Security 6 05-23-2005 10:36 PM


All times are GMT -5. The time now is 11:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration