SV: Breakin attempt
Probably a bunch of bots. Not very intelligent used. Really messed up my logfiles. I was a bit curious if the purpose was just that, to mask some more clever real attacks, but haven't seen any signs of such. I changed my ssh port, just to reduce the noise, and it all ceased. /Hasse -Oprindelig meddelelse- Fra: William Myers [mailto:my...@crusader.bac.edu] Sendt: den 25 oktober 2011 00:08 Til: Admin ValhallaProjectet Cc: freebsd-questions@freebsd.org Emne: Re: Breakin attempt I'm seeing the same thing from the same IP adresses. William Myers Associate Professor, Computer Studies 100 Belmont-Mount Holly Road Belmont Abbey College Belmont, NC 28012-1802 (704) 461-6823 FAX: (704) 461-5051 my...@crusader.bac.edu On Sat, 22 Oct 2011, Admin ValhallaProjectet wrote: > Hello all > > > > FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22 > 10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN > i386 > > Firewall PF. > > Blocking China and some other related countries in that region. > Disabled ssh root logins > > > > Apparently, I'm under some kind of attack, for the last 3 days. > > Lots of attempts to ssh in as root from many different IP addresses. > > No bruteforce attempts. > > This just puzzles me. Using all these resources ? To achieve what ? > > Below is a one hour snip from my auth.log > > Nothing unusual in pflog > > Appreciate all ideas of how to proceed with this mather. > > > > Best regards Hasse > > > > Oct 22 12:00:19 odin sshd[14359]: error: PAM: authentication error for root > from server.fabian.cz > > Oct 22 12:01:08 odin sshd[14365]: Address 87.105.187.194 maps to > client-arsmedica-2.wroclaw.dialog.net.pl, but this does not map back to the > address - POSSIBLE BREAK-IN ATTEMPT! > > Oct 22 12:01:09 odin sshd[14365]: error: PAM: authentication error for root > from 87.105.187.194 > > Oct 22 12:02:59 odin sshd[14422]: error: PAM: authentication error for root > from 87.229.7.163 > > Oct 22 12:03:36 odin sshd[14865]: error: PAM: authentication error for root > from 201.25.53.34 > > Oct 22 12:03:53 odin sshd[15571]: error: PAM: authentication error for root > from 109.237.210.147 > > Oct 22 12:05:18 odin sshd[18357]: error: PAM: authentication error for root > from 12.222.202.34 > > Oct 22 12:05:36 odin sshd[18375]: error: PAM: authentication error for root > from mx.aysor.am > > Oct 22 12:05:53 odin sshd[18537]: error: PAM: authentication error for root > from 190.129.11.76 > > Oct 22 12:07:06 odin sshd[19429]: Address 80.188.13.214 maps to > www.profitaxi.cz, but this does not map back to the address - POSSIBLE > BREAK-IN ATTEMPT! > > Oct 22 12:07:06 odin sshd[19429]: error: PAM: authentication error for root > from 80.188.13.214 > > Oct 22 12:07:27 odin sshd[19542]: error: PAM: authentication error for root > from 85.185.180.48 > > Oct 22 12:08:05 odin sshd[19591]: error: PAM: authentication error for root > from 208.125.137.121 > > Oct 22 12:09:45 odin sshd[19629]: error: PAM: authentication error for root > from 83.14.240.10 > > Oct 22 12:10:53 odin sshd[19699]: error: PAM: authentication error for root > from 200.160.121.246 > > Oct 22 12:10:59 odin sshd[19702]: error: PAM: authentication error for root > from 151.1.183.216 > > Oct 22 12:11:38 odin sshd[19787]: error: PAM: authentication error for root > from crm.nepinc.com > > Oct 22 12:12:16 odin sshd[19830]: error: PAM: authentication error for root > from 189.16.12.146 > > Oct 22 12:12:45 odin sshd[19843]: error: PAM: authentication error for root > from narro.uaaan.mx > > Oct 22 12:14:14 odin sshd[19913]: error: PAM: authentication error for root > from 217.128.151.181 > > Oct 22 12:14:56 odin sshd[19925]: reverse mapping checking getaddrinfo for > panda.zsuvoz.cz [195.178.81.116] failed - POSSIBLE BREAK-IN ATTEMPT! > > Oct 22 12:14:56 odin sshd[19925]: error: PAM: authentication error for root > from 195.178.81.116 > > Oct 22 12:16:14 odin sshd[19995]: error: PAM: authentication error for root > from 87.193.246.26 > > Oct 22 12:16:23 odin sshd[20008]: error: PAM: authentication error for root > from 219.94.144.230 > > Oct 22 12:16:39 odin sshd[20026]: error: PAM: authentication error for root > from 82.130.143.216 > > Oct 22 12:17:41 odin sshd[20073]: error: PAM: authentication error for root > from 87.193.246.26 > > Oct 22 12:17:52 odin sshd[20102]: error: PAM: authentication error for root > from 82.130.143.216 > > Oct 22 12:21:16 odin sshd[20268]: error: PAM: authentication error for root > from 203.141.158.120 > > Oct 22 12:21:34 odin sshd[20286]: error: PAM: authentication error for root > from 2
Breakin attempt
Hello all FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22 10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN i386 Firewall PF. Blocking China and some other related countries in that region. Disabled ssh root logins Apparently, I'm under some kind of attack, for the last 3 days. Lots of attempts to ssh in as root from many different IP addresses. No bruteforce attempts. This just puzzles me. Using all these resources ? To achieve what ? Below is a one hour snip from my auth.log Nothing unusual in pflog Appreciate all ideas of how to proceed with this mather. Best regards Hasse Oct 22 12:00:19 odin sshd[14359]: error: PAM: authentication error for root from server.fabian.cz Oct 22 12:01:08 odin sshd[14365]: Address 87.105.187.194 maps to client-arsmedica-2.wroclaw.dialog.net.pl, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:01:09 odin sshd[14365]: error: PAM: authentication error for root from 87.105.187.194 Oct 22 12:02:59 odin sshd[14422]: error: PAM: authentication error for root from 87.229.7.163 Oct 22 12:03:36 odin sshd[14865]: error: PAM: authentication error for root from 201.25.53.34 Oct 22 12:03:53 odin sshd[15571]: error: PAM: authentication error for root from 109.237.210.147 Oct 22 12:05:18 odin sshd[18357]: error: PAM: authentication error for root from 12.222.202.34 Oct 22 12:05:36 odin sshd[18375]: error: PAM: authentication error for root from mx.aysor.am Oct 22 12:05:53 odin sshd[18537]: error: PAM: authentication error for root from 190.129.11.76 Oct 22 12:07:06 odin sshd[19429]: Address 80.188.13.214 maps to www.profitaxi.cz, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:07:06 odin sshd[19429]: error: PAM: authentication error for root from 80.188.13.214 Oct 22 12:07:27 odin sshd[19542]: error: PAM: authentication error for root from 85.185.180.48 Oct 22 12:08:05 odin sshd[19591]: error: PAM: authentication error for root from 208.125.137.121 Oct 22 12:09:45 odin sshd[19629]: error: PAM: authentication error for root from 83.14.240.10 Oct 22 12:10:53 odin sshd[19699]: error: PAM: authentication error for root from 200.160.121.246 Oct 22 12:10:59 odin sshd[19702]: error: PAM: authentication error for root from 151.1.183.216 Oct 22 12:11:38 odin sshd[19787]: error: PAM: authentication error for root from crm.nepinc.com Oct 22 12:12:16 odin sshd[19830]: error: PAM: authentication error for root from 189.16.12.146 Oct 22 12:12:45 odin sshd[19843]: error: PAM: authentication error for root from narro.uaaan.mx Oct 22 12:14:14 odin sshd[19913]: error: PAM: authentication error for root from 217.128.151.181 Oct 22 12:14:56 odin sshd[19925]: reverse mapping checking getaddrinfo for panda.zsuvoz.cz [195.178.81.116] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:14:56 odin sshd[19925]: error: PAM: authentication error for root from 195.178.81.116 Oct 22 12:16:14 odin sshd[19995]: error: PAM: authentication error for root from 87.193.246.26 Oct 22 12:16:23 odin sshd[20008]: error: PAM: authentication error for root from 219.94.144.230 Oct 22 12:16:39 odin sshd[20026]: error: PAM: authentication error for root from 82.130.143.216 Oct 22 12:17:41 odin sshd[20073]: error: PAM: authentication error for root from 87.193.246.26 Oct 22 12:17:52 odin sshd[20102]: error: PAM: authentication error for root from 82.130.143.216 Oct 22 12:21:16 odin sshd[20268]: error: PAM: authentication error for root from 203.141.158.120 Oct 22 12:21:34 odin sshd[20286]: error: PAM: authentication error for root from 208.125.137.121 Oct 22 12:22:05 odin sshd[20326]: reverse mapping checking getaddrinfo for 86-100-134-185-ip.balticum.lt [86.100.134.185] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:22:05 odin sshd[20326]: error: PAM: authentication error for root from 86.100.134.185 Oct 22 12:22:22 odin sshd[20339]: error: PAM: authentication error for root from 201.232.69.113 Oct 22 12:23:35 odin sshd[20428]: error: PAM: authentication error for root from 87.229.7.163 Oct 22 12:23:58 odin sshd[20486]: error: PAM: authentication error for root from 65.161.248.26 Oct 22 12:24:39 odin sshd[20605]: error: PAM: authentication error for root from 210.238.91.147 Oct 22 12:25:08 odin sshd[21400]: error: PAM: authentication error for root from 12.222.202.34 Oct 22 12:26:08 odin sshd[23744]: error: PAM: authentication error for root from zodiaq3d.info Oct 22 12:26:56 odin sshd[23747]: error: PAM: authentication error for root from mx.cbc-group.kz Oct 22 12:30:26 odin sshd[23752]: error: PAM: authentication error for root from 190.152.145.53 Oct 22 12:30:54 odin sshd[23757]: error: PAM: authentication error for root from 80.24.95.85 Oct 22 12:30:59 odin sshd[23759]: error: PAM: authentication error for root from 200.183.172.2 Oct 22 12:31:13 odin sshd[23755]: error: PAM: authentication error for root from starless.com.pl Oct 22 12:31:38 odin sshd[23