Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not allowed because not listed in AllowUsers Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user root from 12.34.56.78 port 42926 ssh2 Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not allowed because not listed in AllowUsers Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user root from 12.34.56.78 port 43408 ssh2 Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78 (12.34.56.78) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Hi I am only using ssh. Is it possible to have rsa-keys for all users, including vyatta? Maybe the attackers managed to brute force my password? This is very anoying since I have to reinstall the machine tomorrow and doesn't know what went wrong. Haven't had time to check the logs either. How does the user configuration look for you other guys and girls? 2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]: Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Jostein Martinsen-Jones *Sent:* Monday, February 04, 2008 2:43 AM *To:* Dave Strydom *Cc:* vyatta-users@mailman.vyatta.com *Subject:* Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not allowed because not listed in AllowUsers Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user root from 12.34.56.78 port 42926 ssh2 Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not allowed because not listed in AllowUsers Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user root from 12.34.56.78 port 43408 ssh2 Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78 (12.34.56.78) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
As far as I could tell, you cant set up key-only auth in the CLI. If you drop an authorized_keys file in to each user's ~/.ssh directory, and set PasswordAuthentication=no in sshd.conf you will enable key- only auth. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group 404.478.2790 Support: [EMAIL PROTECTED] www.sheltonjohns.com On Feb 4, 2008, at 2:00 PM, Jostein Martinsen-Jones wrote: Yes, i did change the root password asap! I would much like to see a configuration snippet on how to use rsa- keys. Can I use several rsa-keys so i can login as different users? 2008/2/4, Nathan McBride [EMAIL PROTECTED]: Yup sure is. I have setup my vyatta router to only allow rsa keys. Did you change your root password from 'vyatta'? Nate On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote: Hi I am only using ssh. Is it possible to have rsa-keys for all users, including vyatta? Maybe the attackers managed to brute force my password? This is very anoying since I have to reinstall the machine tomorrow and doesn't know what went wrong. Haven't had time to check the logs either. How does the user configuration look for you other guys and girls? 2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]: Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig __ From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user root from 12.34.56.78 port 42926 ssh2 Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user root from 12.34.56.78 port 43408 ssh2 Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused
Re: [Vyatta-users] Vyatta box hacked?
Yup you can have a key for each user. Take a look at: http://suso.org/docs/shell/ssh.sdf Nate On Mon, 2008-02-04 at 20:00 +0100, Jostein Martinsen-Jones wrote: Yes, i did change the root password asap! I would much like to see a configuration snippet on how to use rsa-keys. Can I use several rsa-keys so i can login as different users? 2008/2/4, Nathan McBride [EMAIL PROTECTED]: Yup sure is. I have setup my vyatta router to only allow rsa keys. Did you change your root password from 'vyatta'? Nate On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote: Hi I am only using ssh. Is it possible to have rsa-keys for all users, including vyatta? Maybe the attackers managed to brute force my password? This is very anoying since I have to reinstall the machine tomorrow and doesn't know what went wrong. Haven't had time to check the logs either. How does the user configuration look for you other guys and girls? 2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]: Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig __ From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78
Re: [Vyatta-users] Vyatta box hacked?
Yes, i did change the root password asap! I would much like to see a configuration snippet on how to use rsa-keys. Can I use several rsa-keys so i can login as different users? 2008/2/4, Nathan McBride [EMAIL PROTECTED]: Yup sure is. I have setup my vyatta router to only allow rsa keys. Did you change your root password from 'vyatta'? Nate On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote: Hi I am only using ssh. Is it possible to have rsa-keys for all users, including vyatta? Maybe the attackers managed to brute force my password? This is very anoying since I have to reinstall the machine tomorrow and doesn't know what went wrong. Haven't had time to check the logs either. How does the user configuration look for you other guys and girls? 2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]: Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig __ From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user root from 12.34.56.78 port 42926 ssh2 Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user root from 12.34.56.78 port 43408 ssh2 Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78 (12.34.56.78) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Yup sure is. I have setup my vyatta router to only allow rsa keys. Did you change your root password from 'vyatta'? Nate On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote: Hi I am only using ssh. Is it possible to have rsa-keys for all users, including vyatta? Maybe the attackers managed to brute force my password? This is very anoying since I have to reinstall the machine tomorrow and doesn't know what went wrong. Haven't had time to check the logs either. How does the user configuration look for you other guys and girls? 2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]: Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig __ From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user root from 12.34.56.78 port 42926 ssh2 Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user root from 12.34.56.78 port 43408 ssh2 Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78 (12.34.56.78) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] Vyatta box hacked?
No problemo, will do. I'm still annoyed that someone managed to get in. Maybe tripwire would be nice on the box? 2008/2/4, Nathan McBride [EMAIL PROTECTED]: Correct, you have to drop down to the linux cli, not vyatta's. On Mon, 2008-02-04 at 14:08 -0500, Aubrey Wells wrote: As far as I could tell, you cant set up key-only auth in the CLI. If you drop an authorized_keys file in to each user's ~/.ssh directory, and set PasswordAuthentication=no in sshd.conf you will enable key-only auth. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group 404.478.2790 Support: [EMAIL PROTECTED] www.sheltonjohns.com On Feb 4, 2008, at 2:00 PM, Jostein Martinsen-Jones wrote: Yes, i did change the root password asap! I would much like to see a configuration snippet on how to use rsa-keys. Can I use several rsa-keys so i can login as different users? 2008/2/4, Nathan McBride [EMAIL PROTECTED]: Yup sure is. I have setup my vyatta router to only allow rsa keys. Did you change your root password from 'vyatta'? Nate On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote: Hi I am only using ssh. Is it possible to have rsa-keys for all users, including vyatta? Maybe the attackers managed to brute force my password? This is very anoying since I have to reinstall the machine tomorrow and doesn't know what went wrong. Haven't had time to check the logs either. How does the user configuration look for you other guys and girls? 2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]: Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig __ From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1 $yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He
Re: [Vyatta-users] Vyatta box hacked?
Hi Jostein, Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: $1$nZxxsgXC/ plaintext-password: } } user vyatta { authentication { encrypted-password: $1$yyyt0/ plaintext-password: } } 2008/2/4, Dave Strydom [EMAIL PROTECTED]: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the ip 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user root from 12.34.56.78 port 42926 ssh2 Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user root from 12.34.56.78 port 43408 ssh2 Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78 (12.34.56.78) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users