LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ssh login attempts from localhost?! (https://www.linuxquestions.org/questions/linux-security-4/ssh-login-attempts-from-localhost-327978/)

sovietpower 05-28-2005 11:56 AM

ssh login attempts from localhost?!
 
I was reading through my /var/log/messages once again and here is what I found

May 27 13:53:16 localhost sshd[1255]: Failed none for illegal user help from 127.0.0.1 port 38044 ssh2
May 27 13:53:19 localhost sshd[1322]: Did not receive identification string from 127.0.0.1
May 27 13:53:26 localhost sshd[1467]: Illegal user wank from 127.0.0.1
May 27 13:53:26 localhost sshd[1467]: Failed none for illegal user wank from 127.0.0.1 port 38211 ssh2
May 27 13:53:26 localhost sshd[1467]: Failed password for illegal user wank from 127.0.0.1 port 38211 ssh2
May 27 13:53:33 localhost sshd[1648]: Illegal user hax0r from 127.0.0.1
May 27 13:53:33 localhost sshd[1648]: Failed none for illegal user hax0r from 127.0.0.1 port 38345 ssh2
May 27 13:53:38 localhost sshd[1744]: Illegal user super from 127.0.0.1
May 27 13:53:38 localhost sshd[1744]: Failed none for illegal user super from 127.0.0.1 port 38415 ssh2
May 27 13:53:38 localhost sshd[1744]: Failed password for illegal user super from 127.0.0.1 port 38415 ssh2
May 27 13:53:40 localhost sshd[1793]: Failed password for root from 127.0.0.1 port 38460 ssh2
May 27 13:53:52 localhost sshd[2068]: Illegal user date from 127.0.0.1
May 27 13:53:52 localhost sshd[2068]: Failed none for illegal user date from 127.0.0.1 port 38794 ssh2
May 27 13:53:53 localhost sshd[2085]: Illegal user debug from 127.0.0.1
May 27 13:53:53 localhost sshd[2085]: Failed none for illegal user debug from 127.0.0.1 port 38806 ssh2
May 27 13:53:53 localhost sshd[2085]: Failed password for illegal user debug from 127.0.0.1 port 38806 ssh2
May 27 13:53:57 localhost sshd[2164]: Illegal user jill from 127.0.0.1
May 27 13:53:57 localhost sshd[2164]: Failed none for illegal user jill from 127.0.0.1 port 38871 ssh2
May 27 13:54:00 localhost sshd[2232]: Illegal user gamez from 127.0.0.1
May 27 13:54:00 localhost sshd[2232]: Failed none for illegal user gamez from 127.0.0.1 port 38898 ssh2
May 27 13:54:00 localhost sshd[2232]: Failed password for illegal user gamez from 127.0.0.1 port 38898 ssh2

now I don't know how they are doing this from localhost, I ran chkrootkit before I got these messages I also ran it afterwards nothing came up. I'm kinda stumped on this one, uh help?

Capt_Caveman 05-28-2005 04:55 PM

I've seen machines spoof 127.0.0.1 before, but I don't believe that would work for a remote ssh login session, so I'd take a look for something local. However, the ssh logins look like they're generated by the brutessh tool and to be honest I don't know why you run it locally. You'd need access in the first place in order to run the script and there are much better tools for local bruteforcing.

Take a look at the process list and see if you see anything abnormal. Also take a look at netstat -pantu and see if you can see anything trying to establish local ssh connections. Obviously take an extensive look at all of the system logs. You might want to have iptables log and drop any packets coming in over an external interface that have 127.0.0.1 as the source (turning on the rp_filter will work too). It might be a good idea to look at the arp table and verify that nothing weird is going on.

sovietpower 05-29-2005 02:19 AM

The only odd thing I can see from top is a sendmail process running under smmsp, I don't think I've ever seen that before. As far as netstat everything looks good


All times are GMT -5. The time now is 11:48 PM.