Not /etc/secure , /var/log/secure....man, I can tell it's friday -----Original Message----- From: Jenkins, Jeremiah [mailto:jeremiah.jenkins@xxxxxxxxxxx] Sent: Friday, July 30, 2004 5:16 PM To: 'For users of Fedora Core releases' Subject: RE: MORE SSH Hacking: heads-up What does your /etc/secure log say? There are some scripts around the internet now, where they try to log in via ssh using "test" and guest with sometimes an admin account -----Original Message----- From: jludwig [mailto:wralphie@xxxxxxxxxxx] Sent: Friday, July 30, 2004 4:12 PM To: For users of Fedora Core releases Subject: Re: MORE SSH Hacking: heads-up On Fri, 2004-07-30 at 05:45, Brian Fahrlander wrote: > From last night's LogWatch: > -------------------------------------------------------------------------- > > sshd: > Invalid Users: > Unknown Account: 7 Time(s) > Unknown Entries: > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=johnstongrain.com : 2 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=smms-mriley09d.chemistry.uq.edu.au : 2 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=211.117.191.70 : 1 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=216.97.110.1 : 1 Time(s) > authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= > rhost=ccia-062-204-197-193.uned.es : 1 Time(s) > > su: > Sessions Opened: > brian(uid=500) -> root: 1 Time(s) > > ------------------------------------------------------------------------ > > Ok, guys- what do we do with this? Should we be writing down the > addresses from which these attempts were made? They're probably all > 'stooge' addresses, I know, but it might help authorities to know what > other machines have been compromised... > > I'll go save the log somewhere... > > ------------------------------------------------------------------------ Search results for: 211.117.191.70 OrgName: Asia Pacific Network Information Centre OrgID: APNIC Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AU ReferralServer: whois://whois.apnic.net NetRange: 210.0.0.0 - 211.255.255.255 CIDR: 210.0.0.0/7 NetName: APNIC-CIDR-BLK2 NetHandle: NET-210-0-0-0-1 Parent: NetType: Allocated to APNIC NameServer: NS1.APNIC.NET NameServer: NS3.APNIC.NET NameServer: NS4.APNIC.NET NameServer: NS.RIPE.NET NameServer: TINNIE.ARIN.NET NameServer: DNS1.TELSTRA.NET Comment: This IP address range is not registered in the ARIN database. Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry Comment: for the Asia Pacific region. APNIC does not operate networks Comment: using this IP address range and is not able to investigate Comment: spam or abuse reports relating to these addresses. For more Comment: help, refer to http://www.apnic.net/info/faq/abuse Comment: RegDate: 1996-07-01 Updated: 2004-03-30 OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100 OrgTechEmail: search-apnic-not-arin@xxxxxxxxx # ARIN WHOIS database, last updated 2004-07-29 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. -- jludwig <wralphie@xxxxxxxxxxx> -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
