--- Ralph Shumaker <[EMAIL PROTECTED]> wrote: > I just now noticed that root has mail. And it goes back several months, > even back to before I switched to DSL when I was still on dialup. > > Apparently, even way back then, there were attempts to log into my > system. There are a multitude of attempts via SSHD (sshd has recently > been shut off when I saw network activity when there should have been none): > sshd: > Authentication Failures: > unknown (webservices.trest.com): 324 Time(s) > root (webservices.trest.com): 34 Time(s) > apache (webservices.trest.com): 10 Time(s) > adm (webservices.trest.com): 9 Time(s) > ftp (webservices.trest.com): 9 Time(s) > mail (webservices.trest.com): 7 Time(s) > Invalid Users: > Unknown Account: 324 Time(s)
Yes, this is a common brute-force attack. Script kiddies start programs to look at IP address ranges in hopes of finding a machine that has SSH open on port 22 (and probably a number of common alternates) and try combinations of users and passwords hoping for a weak one that will let them into your system. If you look at /var/log/secure* you will usually see one line for each attempt that logwatch has summarized for you here. The "unknown" refers to a user that is not on your system. The suggestions of using iptables to drop connections after three or four failures and block traffic from that IP is usually the way to go. Naturally, if you can stop using SSH that is best. You normally only see this if the machine is connected directly to the cable or DSL modem with a public IP address. Do you need to do this for some reason? Why don't you have a hardware router / firewall which blocks all incoming ports? There are many things which can occur when someone does get in. It is hard to trace them all. However, one tool can be downloaded from http://www.chkrootkit.org Using it involves 1) grabbing the *.tar.gz file (I like to use wget if available) 2) extracting the archive (tar xvzf *.tar.gz) 3) entering the extracted directory 4) reading the instructions (which tell you to use the command "make sense") to compile the code 5) executing the Bash script with ./chkrootkit Whenever you run this, it's best to get a fresh copy which looks for new rootkits, trojans, etc., that may have been discovered since the last time you grabbed a copy. There will be a lot of output which shows what is being scanned and the results. Most of the time it will be benign. There is a false positive with directory names which begin with a dot as "suspicious". Look over the list to be sure they are normal. If any problems are found, disconnect the network cable and reinstall the OS. It's the only way. James -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie
