Hi there, we found the system that was responsible for the "root"-Logins, it was our HP SIM-Server (http://h18013.www1.hp.com/products/servers/management/hpsim/index.html?jumpid=go/hpsim). It might have been a bit overachieving in getting root access to check for whatever. The "spoofed" IP will remain a mystery (to me), i guess, but this might help others who expierence a similar issue.
Cheers, Andre Mit freundlichen Grüßen i.A. André Keller Informationssysteme Lokaler Betrieb und Support Volkswagen Original Teile Logistik GmbH und Co. KG Vertriebszentrum Nord Am Stammgleis 6 22844 Norderstedt Tel.: +49 (40) 52200-3211 Fax: +49 40 52200-3209 <http://www.volkswagen-otlg.de> > -----Ursprüngliche Nachricht----- > Von: Stephen Loeckle [mailto:[email protected]] > Gesendet: Donnerstag, 16. Juni 2011 16:29 > An: Enterasys Customer Mailing List > Betreff: Re: [enterasys] "root" login on N7 > > Often when we see odd login attempts using root, it is a bot > looking for insecure root accounts. Stick a linux box on the > internet and in 5 minutes it will get scanned. > > However, that's a loopback address. Do you have that IP still > in your config? Do you have any other 127 addresses in your config? > > I suppose it could be spoofed, which is a cause for concern. > You shouldn't be getting a ssh login attempt from a loopback address. > > Stephen > > ----- Original Message ----- > From: "Andre Keller ( OTLG )" <[email protected]> > To: "Enterasys Customer Mailing List" <[email protected]> > Sent: Thursday, June 16, 2011 7:11:47 AM > Subject: [enterasys] "root" login on N7 > > Hi there, > > does anyone know if this message should be cause for concern: > CLI[6]User: root failed login from 127.128.0.4(ssh) > > We had this coming up on one of our N7 for a couple of times > yesterday. The IP 127.128.0.4 is related to OSPF afaik which we > don´t use at all anywhere. > > Also, we don´t have a "root" user on our N7s. > > Any input is appreciated! > > Cheers, > > i.A. André Keller > > > Informationssysteme Lokaler Betrieb und Support > > Volkswagen Original Teile Logistik GmbH und Co. KG > Vertriebszentrum Nord > Am Stammgleis 6 > 22844 Norderstedt > Tel.: +49 (40) 52200-3211 > Fax: +49 40 52200-3209 > <http://www.volkswagen-otlg.de> > > > --- > To unsubscribe from enterasys, send email to [email protected] > with the body: unsubscribe enterasys [email protected] > > --- > To unsubscribe from enterasys, send email to [email protected] > with the body: unsubscribe enterasys [email protected] > --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
