Hi all, I found similar sequences in the /var/auth.log files of freebsd boxes, I supervise.: Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 Aug 13 13:56:25 www sshd[26107]: Failed password for root from 165.21.103.20 port 39678 ssh2 Aug 13 13:56:28 www sshd[26109]: Failed password for root from 165.21.103.20 port 39760 ssh2 Aug 13 13:56:32 www sshd[26111]: Failed password for root from 165.21.103.20 port 39836 ssh2 Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 What are these? bye Sandor Berta
Hello, Someone is trying to pick-up a password for these accounts. Restrict your ssh service to your trusted networks only.> Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from > 165.21.103.20 port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from > 165.21.103.20 port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from > 165.21.103.20 port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > What are these?-- Nikolaj I. Potanin, SA http://www.drweb.ru ID Anti-Virus Lab (SalD Ltd) nikolaj@drweb.ru St. Petersburg, Russia ph.: +7-812-3888624
On Fri, 13 Aug 2004, Sandor Berta wrote:> Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from > 165.21.103.20 port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from > 165.21.103.20 port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from > 165.21.103.20 port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57There are failed attempts to login via ssh. -- Dan Langille - http://www.langille.org/
Hi Sandor, You don't have to worry, unless you have user 'test', 'guest', 'admin', 'root' with poor password: typically same or very similar to your accountname. There seems to be a script around the hackers to scan SSH and gain access to poorly configured servers.... Unfortunately they are plenty of badly configured servers. May be you should disable root access via SSH password (only via keys). Regards, Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 On Fri, 13 Aug 2004, Sandor Berta wrote:> Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from 165.21.103.20 > port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from 165.21.103.20 > port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from 165.21.103.20 > port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > What are these? > > bye > Sandor Berta > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Heya, this is probably the same piece of malware that has been discussed on f-d recently. The username/password combination guest and test are hardcoded into a little statically linked binary which is commonly used together with a SYN scanner. Chances are good these attempts are coming from a compromised box - you may want to look into that if it is in your realms. If you need more info, I disassembled them both and made a quick analysis, check the f-d archives. Cheers, J.
ive been getting this too on both my freebsd boxes, it seems to be an epidemic. i guess its some form of ssh scanner looking for open accounts with no passwords (or easily guessable passwords)? Thanks, Craig>Hi all, >I found similar sequences in the<snip>>165.21.103.20 port 39836 ssh2 >Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 >Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 >Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > >What are these? >
I'm seeing the same thing in my log. It makes me think it is a virus because test, guest, and admin are not normal unix users. Jul 17 04:14:13 newman sshd[2630]: Illegal user test from 129.194.21.5 Jul 17 04:14:14 newman sshd[2632]: Illegal user guest from 129.194.21.5 Jul 24 19:29:26 newman sshd[43831]: Illegal user test from 69.0.134.72 Jul 24 19:29:26 newman sshd[43838]: Illegal user guest from 69.0.134.72 Jul 24 19:29:27 newman sshd[43840]: Illegal user admin from 69.0.134.72 Jul 24 19:29:27 newman sshd[43842]: Illegal user admin from 69.0.134.72 Jul 24 19:29:27 newman sshd[43844]: Illegal user user from 69.0.134.72 Jul 24 19:29:33 newman sshd[43853]: Illegal user test from 69.0.134.72 Jul 24 21:17:05 newman sshd[45031]: Illegal user test from 202.6.75.195 Jul 24 21:17:07 newman sshd[45033]: Illegal user guest from 202.6.75.195 Jul 25 02:04:17 newman sshd[34873]: Illegal user test from 211.202.3.148 Jul 25 02:04:19 newman sshd[34875]: Illegal user guest from 211.202.3.148 Jul 28 12:09:17 newman sshd[16613]: Illegal user test from 65.61.98.16 Jul 28 12:09:18 newman sshd[16615]: Illegal user guest from 65.61.98.16 Jul 31 08:18:09 newman sshd[98113]: Illegal user test from 65.194.200.129 Jul 31 08:18:10 newman sshd[98116]: Illegal user guest from 65.194.200.129 Aug 1 22:47:50 newman sshd[1520]: Illegal user test from 202.114.73.4 Aug 1 22:47:53 newman sshd[1522]: Illegal user guest from 202.114.73.4 Aug 4 21:09:11 newman sshd[39267]: Illegal user test from 218.38.216.168 Aug 4 21:09:13 newman sshd[39269]: Illegal user guest from 218.38.216.168 Aug 7 13:53:00 newman sshd[15889]: Illegal user test from 64.246.20.43 Aug 7 13:53:00 newman sshd[15891]: Illegal user guest from 64.246.20.43 Aug 7 13:53:01 newman sshd[15893]: Illegal user admin from 64.246.20.43 Aug 7 14:00:37 newman sshd[15970]: Illegal user test from 64.246.20.43 Aug 7 14:00:38 newman sshd[15972]: Illegal user guest from 64.246.20.43 Aug 7 14:00:39 newman sshd[15974]: Illegal user admin from 64.246.20.43 Aug 7 14:00:40 newman sshd[15976]: Illegal user admin from 64.246.20.43 Aug 7 14:00:41 newman sshd[15978]: Illegal user user from 64.246.20.43 Aug 7 14:00:44 newman sshd[15986]: Illegal user test from 64.246.20.43 Aug 8 06:48:05 newman sshd[51656]: Illegal user test from 64.151.89.172 Aug 8 06:48:06 newman sshd[51658]: Illegal user guest from 64.151.89.172 Aug 8 06:48:07 newman sshd[51660]: Illegal user admin from 64.151.89.172 Aug 8 06:48:08 newman sshd[51662]: Illegal user admin from 64.151.89.172 Aug 8 06:48:08 newman sshd[51664]: Illegal user user from 64.151.89.172 Aug 8 06:48:12 newman sshd[51672]: Illegal user test from 64.151.89.172 Aug 9 09:33:57 newman sshd[9346]: Illegal user test from 211.241.101.137 Aug 9 09:33:59 newman sshd[9348]: Illegal user guest from 211.241.101.137 Aug 9 09:34:01 newman sshd[9350]: Illegal user admin from 211.241.101.137 Aug 9 09:34:03 newman sshd[9352]: Illegal user admin from 211.241.101.137 Aug 9 09:34:04 newman sshd[9354]: Illegal user user from 211.241.101.137 Aug 9 09:34:13 newman sshd[9362]: Illegal user test from 211.241.101.137 Aug 9 15:54:37 newman sshd[11782]: Illegal user test from 80.64.104.66 Aug 9 15:54:39 newman sshd[11784]: Illegal user guest from 80.64.104.66 Aug 9 15:54:41 newman sshd[11786]: Illegal user admin from 80.64.104.66 Aug 9 15:54:43 newman sshd[11788]: Illegal user admin from 80.64.104.66 Aug 9 15:54:44 newman sshd[11790]: Illegal user user from 80.64.104.66 Aug 9 15:54:51 newman sshd[11798]: Illegal user test from 80.64.104.66 Aug 10 12:24:14 newman sshd[1392]: Illegal user test from 200.155.22.22 Aug 10 12:32:33 newman sshd[11361]: Illegal user test from 200.155.22.22 Aug 10 12:32:35 newman sshd[11364]: Illegal user guest from 200.155.22.22 Aug 10 12:32:37 newman sshd[11370]: Illegal user admin from 200.155.22.22 Aug 10 12:32:40 newman sshd[11372]: Illegal user admin from 200.155.22.22 Aug 10 12:32:42 newman sshd[11375]: Illegal user user from 200.155.22.22 Aug 10 12:32:51 newman sshd[11399]: Illegal user test from 200.155.22.22 Aug 10 20:22:59 newman sshd[1808]: Illegal user test from 63.251.144.88 Aug 16 04:41:53 newman sshd[31175]: Illegal user test from 210.223.178.180 Aug 16 04:41:54 newman sshd[31177]: Illegal user guest from 210.223.178.180 Aug 16 04:41:56 newman sshd[31179]: Illegal user admin from 210.223.178.180 Aug 16 04:41:58 newman sshd[31181]: Illegal user admin from 210.223.178.180 Aug 16 04:42:00 newman sshd[31183]: Illegal user user from 210.223.178.180 Aug 16 04:42:08 newman sshd[31191]: Illegal user test from 210.223.178.180 Aug 17 01:28:42 newman sshd[1507]: Illegal user test from 64.62.182.146 Aug 17 01:28:42 newman sshd[1509]: Illegal user guest from 64.62.182.146 Aug 17 01:28:43 newman sshd[1511]: Illegal user admin from 64.62.182.146 Aug 17 01:28:44 newman sshd[1513]: Illegal user admin from 64.62.182.146 Aug 17 01:28:45 newman sshd[1515]: Illegal user user from 64.62.182.146 Aug 17 01:28:48 newman sshd[1523]: Illegal user test from 64.62.182.146 On Friday 13 August 2004 09:05 am, Sandor Berta wrote:> Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from > 165.21.103.20 port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from > 165.21.103.20 port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from > 165.21.103.20 port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > What are these? > > bye > Sandor Berta > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"