Hi everyone, I have some very strange information in my /var/log/secure: find /var/log | xargs grep -i 62.149.129.73 2>/dev/null /var/log/secure:Dec 13 21:32:38 baravalle xinetd[1219]: START: smtp pid=26049 from=62.149.129.73 /var/log/secure:Dec 13 21:32:38 baravalle sshd[26048]: Did not receive identification string from ::ffff:62.149.129.73 /var/log/secure:Dec 13 20:33:33 baravalle sshd[26059]: Failed none for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 /var/log/secure:Dec 13 21:33:42 baravalle sshd[26058]: Failed password for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 /var/log/secure:Dec 13 20:33:42 baravalle sshd[26059]: Failed password for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 Apparently someone tried to log in with a user name (I changed the username here). I don't like the timestamps: 21:32:38, 20:33:33, 21:33:42, 20:33:42. Why is that? By the way, most probably the access has been done by my provider. They are denying it, but there is overwhelming evidence: the username used is the one that they gave me, which is the word admin and a string of 7 digits. The username should be known just by me, my business partner and my provider. The username was anyway invalid in the system, because I had disabled SSH access from all users but the ones in a group. Nevertheless, in their records, the provider had another user name that I didn't disable (stupid me) because they did some maintenance work not long ago. I can't see any access from the correct user name since the last time I had authorised them to access the server. Anyone able to bring some light? Andres
Andres Baravalle wrote:> /var/log/secure:Dec 13 21:33:42 baravalle sshd[26058]: Failed password > for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > /var/log/secure:Dec 13 20:33:42 baravalle sshd[26059]: Failed password > for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > > Apparently someone tried to log in with a user name (I changed the > username here). I don't like the timestamps: 21:32:38, 20:33:33, > 21:33:42, 20:33:42.The timestamps are a known error from upstream: <http://bugs.centos.org/view.php?id=1557> Regards, Ralph -- Ralph Angenendt......ra at br-online.de | .."Text processing has made it possible Bayerischer Rundfunk...80300 M?nchen | ....to right-justify any idea, even one Programmbereich.Bayern 3, Jugend und | .which cannot be justified on any other Multimedia.........Tl:089.5900.16023 | ..........grounds." -- J. Finnegan, USC -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20061214/57dddc6b/attachment.sig>
On 14/12/06, Andres Baravalle <andres.baravalle at gmail.com> wrote:> Hi everyone, > I have some very strange information in my /var/log/secure: > > find /var/log | xargs grep -i 62.149.129.73 2>/dev/null > /var/log/secure:Dec 13 21:32:38 baravalle xinetd[1219]: START: smtp > pid=26049 from=62.149.129.73 > /var/log/secure:Dec 13 21:32:38 baravalle sshd[26048]: Did not receive > identification string from ::ffff:62.149.129.73 > /var/log/secure:Dec 13 20:33:33 baravalle sshd[26059]: Failed none for > invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > /var/log/secure:Dec 13 21:33:42 baravalle sshd[26058]: Failed password > for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > /var/log/secure:Dec 13 20:33:42 baravalle sshd[26059]: Failed password > for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > > Apparently someone tried to log in with a user name (I changed the > username here). I don't like the timestamps: 21:32:38, 20:33:33, > 21:33:42, 20:33:42. > > Why is that? > > By the way, most probably the access has been done by my provider. > They are denying it, but there is overwhelming evidence: the username > used is the one that they gave me, which is the word admin and a > string of 7 digits. The username should be known just by me, my > business partner and my provider. The username was anyway invalid in > the system, because I had disabled SSH access from all users but the > ones in a group. Nevertheless, in their records, the provider had > another user name that I didn't disable (stupid me) because they did > some maintenance work not long ago. I can't see any access from the > correct user name since the last time I had authorised them to access > the server.We covered something similar a little while back. Don't know if it's the same problem you're seeing but this might help shed some light... http://lists.centos.org/pipermail/centos/2006-November/072459.html Will.
2006/12/14, Ralph Angenendt <ra+centos at br-online.de>:> Andres Baravalle wrote: > > /var/log/secure:Dec 13 21:33:42 baravalle sshd[26058]: Failed password > > for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > > /var/log/secure:Dec 13 20:33:42 baravalle sshd[26059]: Failed password > > for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > > > > Apparently someone tried to log in with a user name (I changed the > > username here). I don't like the timestamps: 21:32:38, 20:33:33, > > 21:33:42, 20:33:42. > > The timestamps are a known error from upstream: > > <http://bugs.centos.org/view.php?id=1557>great, thanks. now I got an email from the provider which says that actually yesterday they did try to ssh the machine. so everything is now clear. Andres