Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
at all.
I am the only one knowing the root password, and I have not logged in those
times that last are showing.
root pts/0 202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
root pts/0 202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
root pts/0 202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
root pts/0 202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long, using numbers
and letters.
This is from my old config, are plaintext-password supposed to be blank?
# show system login
user root {
authentication {
encrypted-password: "$1$nZxxxxxxsgXC/"
plaintext-password: ""
}
}
user vyatta {
authentication {
encrypted-password: "$1$yyyyyyyyyyyt0/"
plaintext-password: ""
}
}
2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
>
> Login to your router as root and run:
>
> # last | more
>
> and see if there are any logins to your machine which you do not
> recognize.
>
>
>
> On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > I got mail from another linux user today. He complained about login
> attempts
> > to his boxes, from my vyatta router!
> > Am I haxored or what? This is from his log and the "ip" 12.34.56.78 are
> my
> > router.
> >
> > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
> user
> > root from 12.34.56.78 port 42492 ssh2
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
> user
> > root from 12.34.56.78 port 42926 ssh2
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
> user
> > root from 12.34.56.78 port 43408 ssh2
> > Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
> 12.34.56.78
> > (12.34.56.78)
> > _______________________________________________
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >
> _______________________________________________
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
