Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet in not secure from a public network as the username/password is in clear text. stig _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jostein Martinsen-Jones Sent: Monday, February 04, 2008 2:43 AM To: Dave Strydom Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Vyatta box hacked? Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me at all. I am the only one knowing the root password, and I have not logged in those times that last are showing. root pts/0 202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16) root pts/0 202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11) root pts/0 202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05) root pts/0 202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29) How did this happen? I changed all the passwords on install to 8 character long, using numbers and letters. This is from my old config, are plaintext-password supposed to be blank? # show system login user root { authentication { encrypted-password: "$1$nZxxxxxxsgXC/" plaintext-password: "" } } user vyatta { authentication { encrypted-password: "$1$yyyyyyyyyyyt0/" plaintext-password: "" } } 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>: Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote: > I got mail from another linux user today. He complained about login attempts > to his boxes, from my vyatta router! > Am I haxored or what? This is from his log and the "ip" 12.34.56.78 are my > router. > > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user > root from 12.34.56.78 port 42492 ssh2 > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78 not > allowed because not listed in AllowUsers > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user > root from 12.34.56.78 port 42926 ssh2 > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78 not > allowed because not listed in AllowUsers > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root > Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user > root from 12.34.56.78 port 43408 ssh2 > Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78 > (12.34.56.78) > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
_______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
