Server hacking....
Posted: Tue Jan 03, 2006 12:27 pm
I often look in my server logs and see lots of random failed login attempts. I never see what the point in people trying it is because nobody even know what's on my server (and that's not a lot in fact)... certainly nothing worth stealing or breaking.
It doesn't worry me because I use very strong passwords, don't allow plaintext passwords over SSH, don't allow root logins over SSH and chroot FTP users into ~/. Nobody ever actually breaks in but I'm amazed just how often I see attempts.
Today I leave a `tail -f' of /var/log/messages running and come back to find this... (not surprisingly).
The list is much longer but still.
Probably a bot, or several bots doing it.
It makes me wonder just how many people get rooted without even knowing it because they just have god awful security proedures on their meachines.
It doesn't worry me because I use very strong passwords, don't allow plaintext passwords over SSH, don't allow root logins over SSH and chroot FTP users into ~/. Nobody ever actually breaks in but I'm amazed just how often I see attempts.
Today I leave a `tail -f' of /var/log/messages running and come back to find this... (not surprisingly).
Code: Select all
Jan 3 13:48:23 d11wtq sshd[14098]: Failed password for invalid user 1956 from 80.235.105.114 port 37819 ssh2
Jan 3 13:48:24 d11wtq sshd[14100]: Invalid user 1957 from 80.235.105.114
Jan 3 13:48:24 d11wtq sshd(pam_unix)[14100]: check pass; user unknown
Jan 3 13:48:24 d11wtq sshd(pam_unix)[14100]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:48:26 d11wtq sshd[14100]: Failed password for invalid user 1957 from 80.235.105.114 port 38242 ssh2
Jan 3 13:48:27 d11wtq sshd[14102]: Invalid user 1958 from 80.235.105.114
Jan 3 13:48:27 d11wtq sshd(pam_unix)[14102]: check pass; user unknown
Jan 3 13:48:27 d11wtq sshd(pam_unix)[14102]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:48:29 d11wtq sshd[14102]: Failed password for invalid user 1958 from 80.235.105.114 port 38679 ssh2
Jan 3 13:48:30 d11wtq sshd[14104]: Invalid user 1959 from 80.235.105.114
Jan 3 13:48:30 d11wtq sshd(pam_unix)[14104]: check pass; user unknown
Jan 3 13:48:30 d11wtq sshd(pam_unix)[14104]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:48:33 d11wtq sshd[14104]: Failed password for invalid user 1959 from 80.235.105.114 port 39099 ssh2
Jan 3 13:48:33 d11wtq sshd[14106]: Invalid user 1960 from 80.235.105.114
Jan 3 13:48:33 d11wtq sshd(pam_unix)[14106]: check pass; user unknown
Jan 3 13:48:33 d11wtq sshd(pam_unix)[14106]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:48:36 d11wtq sshd[14106]: Failed password for invalid user 1960 from 80.235.105.114 port 39527 ssh2
Jan 3 13:48:36 d11wtq sshd[14108]: Invalid user 1961 from 80.235.105.114
Jan 3 13:48:36 d11wtq sshd(pam_unix)[14108]: check pass; user unknown
Jan 3 13:48:36 d11wtq sshd(pam_unix)[14108]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:48:39 d11wtq sshd[14108]: Failed password for invalid user 1961 from 80.235.105.114 port 39953 ssh2
Jan 3 13:48:39 d11wtq sshd[14110]: Invalid user 1962 from 80.235.105.114
Jan 3 13:48:39 d11wtq sshd(pam_unix)[14110]: check pass; user unknown
Jan 3 13:48:39 d11wtq sshd(pam_unix)[14110]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:48:42 d11wtq sshd[14110]: Failed password for invalid user 1962 from 80.235.105.114 port 40328 ssh2
Jan 3 13:48:43 d11wtq sshd[14112]: Invalid user 1963 from 80.235.105.114
Jan 3 13:48:43 d11wtq sshd(pam_unix)[14112]: check pass; user unknown
Jan 3 13:48:43 d11wtq sshd(pam_unix)[14112]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:48:45 d11wtq sshd[14112]: Failed password for invalid user 1963 from 80.235.105.114 port 40764 ssh2
Jan 3 13:48:46 d11wtq sshd[14114]: Invalid user 1964 from 80.235.105.114
Jan 3 13:48:46 d11wtq sshd(pam_unix)[14114]: check pass; user unknown
Jan 3 13:48:46 d11wtq sshd(pam_unix)[14114]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:48:48 d11wtq sshd[14114]: Failed password for invalid user 1964 from 80.235.105.114 port 41213 ssh2
Jan 3 13:48:58 d11wtq sshd[14116]: Invalid user 1965 from 80.235.105.114
Jan 3 13:48:58 d11wtq sshd(pam_unix)[14116]: check pass; user unknown
Jan 3 13:48:58 d11wtq sshd(pam_unix)[14116]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.polytex.ee
Jan 3 13:49:00 d11wtq sshd[14116]: Failed password for invalid user 1965 from 80.235.105.114 port 41651 ssh2
Jan 3 14:46:54 d11wtq xinetd[1206]: START: imap2 pid=14135 from=68.82.20.28
Jan 3 14:46:54 d11wtq imapd[14135]: port 143 service init from 68.82.20.28
Jan 3 14:46:54 d11wtq imapd[14135]: Command stream end of file, while reading line user=??? domain=??? host=pcp03108393pcs.rte20201.de.comcast.net [68.82.20.28]
Jan 3 14:46:54 d11wtq xinetd[1206]: EXIT: imap2 pid=14135 duration=0(sec)
Jan 3 15:14:22 d11wtq xinetd[1206]: START: smtp pid=14145 from=71.48.212.231
Jan 3 15:14:35 d11wtq spamd[13534]: connection from localhost [127.0.0.1] at port 1251
Jan 3 15:14:35 d11wtq spamd[13534]: info: setuid to nobody succeeded
Jan 3 15:14:35 d11wtq spamd[13534]: Creating default_prefs [//.spamassassin/user_prefs]
Jan 3 15:14:35 d11wtq spamd[13534]: Cannot write to //.spamassassin/user_prefs: No such file or directory
Jan 3 15:14:35 d11wtq spamd[13534]: Couldn't create readable default_prefs for [//.spamassassin/user_prefs]
Jan 3 15:14:35 d11wtq spamd[13534]: checking message <000001c61078$65ff7c00$0100007f@work-3> for nobody:65534.
Jan 3 15:14:37 d11wtq spamd[13534]: clean message (3.4/5.0) for nobody:65534 in 2.2 seconds, 6415 bytes.
Jan 3 15:14:37 d11wtq spamd[13534]: result: . 3 - DATE_IN_PAST_06_12,HTML_FONT_BIG,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,URIBL_SBL,URIBL_WS_SURBL scantime=2.2,size=6415,mid=<000001c61078$65ff7c00$0100007f@work-3>,autolearn=disabled
Jan 3 15:14:37 d11wtq exim[14145]: 2006-01-03 15:14:37 1Etnrk-0003g9-BU <= alexander@griffield.biz H=nc-71-48-212-231.dhcp.sprint-hsd.net (friend) [71.48.212.231] P=esmtp S=6470 id=000001c61078$65ff7c00$0100007f@work-3
Jan 3 15:14:37 d11wtq exim[14146]: 2006-01-03 15:14:37 1Etnrk-0003g9-BU => enquiries <enquiries@chriscorbyn.co.uk> R=localuser T=local_delivery
Jan 3 15:14:37 d11wtq exim[14146]: 2006-01-03 15:14:37 1Etnrk-0003g9-BU == enquiries@chriscorbyn.co.uk R=write_spam_05 T=write_spam defer (13): Permission denied: failed to create directories for /home/d11wtq/Mail/chriscorbyn.co.uk/spam: Permission denied
Jan 3 15:14:56 d11wtq sshd[14150]: reverse mapping checking getaddrinfo for corporativos_245185-3.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jan 3 15:14:56 d11wtq sshd(pam_unix)[14150]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.245.185.3 user=root
Jan 3 15:14:59 d11wtq sshd[14150]: Failed password for root from 201.245.185.3 port 35057 ssh2
Jan 3 15:15:05 d11wtq sshd[14152]: reverse mapping checking getaddrinfo for corporativos_245185-3.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jan 3 15:15:05 d11wtq sshd(pam_unix)[14152]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.245.185.3 user=root
Jan 3 15:15:08 d11wtq sshd[14152]: Failed password for root from 201.245.185.3 port 35356 ssh2
Jan 3 15:15:15 d11wtq sshd[14154]: reverse mapping checking getaddrinfo for corporativos_245185-3.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jan 3 15:15:15 d11wtq sshd(pam_unix)[14154]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.245.185.3 user=root
Jan 3 15:15:17 d11wtq sshd[14154]: Failed password for root from 201.245.185.3 port 35633 ssh2
Jan 3 15:15:27 d11wtq sshd[14156]: reverse mapping checking getaddrinfo for corporativos_245185-3.etb.net.co failed - POSSIBLE BREAKIN ATTEMPT!
Jan 3 15:15:27 d11wtq sshd(pam_unix)[14156]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.245.185.3 user=root
Jan 3 15:15:29 d11wtq sshd[14156]: Failed password for root from 201.245.185.3 port 35969 ssh2
Jan 3 17:38:09 d11wtq proftpd[14212]: localhost (lns-bzn-31-82-252-215-230.adsl.proxad.net[82.252.215.230]) - FTP session opened.
Jan 3 17:38:10 d11wtq proftpd[14212]: localhost (lns-bzn-31-82-252-215-230.adsl.proxad.net[82.252.215.230]) - USER ftp (Login failed): Invalid shell: '/bin/false'
Jan 3 17:38:10 d11wtq proftpd[14212]: localhost (lns-bzn-31-82-252-215-230.adsl.proxad.net[82.252.215.230]) - FTP session closed.Probably a bot, or several bots doing it.
It makes me wonder just how many people get rooted without even knowing it because they just have god awful security proedures on their meachines.