Jon, 92.55.82.121 is listed in Dshield.org database, as an attacker 3 times. Possibly from Macedonia.
62.162.164.116 is in a block assigned to Macedonia, it appears 0 times in the Dshield.org database. Considering that both came from Macedonia, one with a hit on Dshield, I would say that yes. It's safe to assume you've been hacked. If you've noticed, there may have been a lot of activity on port 22, with a lot of rejections on the same IP within maybe within a span of 30 minutes. Then there's another IP address that scans the next day with another set of usernames and passwords. That's been pretty standard for about 2 or 3 years now. So I would figure out if they had any access to boxes on that network as well. Putting nologin in /etc/passwd is good, but they may have been going on for a while, and that may not be their only avenue of entry. And when you determine the list of boxes they had entered on your network, reformat them and put a fresh install of software on. And if you did any banking with those boxes, it would be wise to change account passwords. As well as any other account you consider confidential that you accessed from those machines. --R On Sun, 2008-08-03 at 11:20 -0400, Jon wrote: > In the last few weeks I poked a hole through my router to SSH into my > box at home from the road. > > I was just scrounging thru the auth.log with `grep 'Accepted password > for' ./auth.log* | less` > > And got this: > > ./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: Accepted > password for jon from 216.155.176.39 port 5873 ssh2 > ./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: Accepted > password for jon from 216.155.176.39 port 4689 ssh2 > ./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: Accepted > password for jon from 192.168.1.104 port 40752 ssh2 > ./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: Accepted > password for jon from 192.168.1.104 port 40755 ssh2 > ./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: Accepted > password for jon from 192.168.1.104 port 40757 ssh2 > ./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: Accepted > password for jon from 192.168.1.104 port 43941 ssh2 > ./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: Accepted > password for jon from 192.168.1.104 port 43942 ssh2 > ./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: Accepted > password for jon from 192.168.1.104 port 46126 ssh2 > ./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: Accepted > password for jon from 192.168.1.104 port 42032 ssh2 > ./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: Accepted > password for jon from 216.155.176.39 port 21045 ssh2 > ./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: Accepted > password for jon from 216.155.176.39 port 21283 ssh2 > ./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: Accepted > password for jon from 216.155.176.39 port 20307 ssh2 > ./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: Accepted > password for jon from 216.155.176.39 port 20229 ssh2 > ./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: Accepted > password for jon from 216.155.176.39 port 17171 ssh2 > ./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: Accepted > password for postgres from port 63075 ssh2 > ./auth.log.0:Aug 1 03:20:35 nichtscheissen sshd[11115]: Accepted > password for postgres from 62.162.164.116 port 1283 ssh2 > ./auth.log.0:Aug 1 03:31:04 nichtscheissen sshd[11368]: Accepted > password for postgres from 62.162.164.116 port 1685 ssh2 > ./auth.log.0:Aug 1 11:04:02 nichtscheissen sshd[18404]: Accepted > password for postgres from 62.162.164.116 port 3262 ssh2 > ./auth.log.0:Aug 1 13:41:06 nichtscheissen sshd[20845]: Accepted > password for postgres from 92.55.82.121 port 64237 ssh2 > > The logins for me from the 216 address are kosher. Thats me from work. > > Its the logins for postgres that concern me. > > What I've done so far is changed the postgres users shell > to /usr/sbin/nologin. > > Any ideas whats going on here? How concerned should I be about these > successful logins? > _______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
