Muore un mito: il primo rootkit su questo forum...

[steff]

Ok, l'uso di sudo -s|-i|su è chiarito e anche la ragione perché non si deve abilitare l'utente root - possiamo tornare al rootkit e lasciar stare le punzecchiature personali?

La domanda che si pone adesso è "come l'ha preso questo utente"? Perché stando alle sue dichiarazioni non aveva né server SSH né utente root.

[zeek]

(il discorso sul sudare o meno onestamente ancora non mi convince ma vabbè)

ecco, esatto, questa è la domanda giusta, solo che stando a quanto detto da lui se non sbaglio, il rootkit dovrebbe stare nei repo di ubuntu e, per quanto la cosa non sia impossibile, immagino ce ne saremmo accorti visto che questo rootkit in particolare non è un campione di mimetizzazione... quindi non saprei.

[marlboro]

ho guardato i log del pc e del server...devo dire sono entrambi pieni di tentavi di accesso da ssh con nome root...per fortuna per il momento hanno sempre sbagliato...password,ma ho notato che non provano solo root utente,ho letto anche admin o nagios...boo non sono un esperto ma credo che stanno proprio provando...sempre che siano le stesse persone a provarci...

un pezzo log del pc:

Codice: Seleziona tutto

Aug  5 01:20:26 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 01:20:26 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 01:20:26 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 01:20:27 marlboro-LIFEBOOK-A512 sshd[3618]: Failed password for root from 218.87.111.116 port 36351 ssh2
Aug  5 01:20:28 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 01:20:28 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 01:20:28 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 01:20:30 marlboro-LIFEBOOK-A512 sshd[3618]: Failed password for root from 218.87.111.116 port 36351 ssh2
Aug  5 01:20:31 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 01:20:31 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 01:20:31 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 01:20:33 marlboro-LIFEBOOK-A512 sshd[3618]: Failed password for root from 218.87.111.116 port 36351 ssh2
Aug  5 01:20:37 marlboro-LIFEBOOK-A512 sshd[3618]: Received disconnect from 218.87.111.116: 11:  [preauth]
Aug  5 01:20:37 marlboro-LIFEBOOK-A512 sshd[3618]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.87.111.116  user=root
Aug  5 01:39:01 marlboro-LIFEBOOK-A512 CRON[5132]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  5 01:39:01 marlboro-LIFEBOOK-A512 CRON[5132]: pam_unix(cron:session): session closed for user root
Aug  5 01:53:53 marlboro-LIFEBOOK-A512 sshd[5488]: Did not receive identification string from 213.16.81.89
Aug  5 02:09:01 marlboro-LIFEBOOK-A512 CRON[5624]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  5 02:09:01 marlboro-LIFEBOOK-A512 CRON[5624]: pam_unix(cron:session): session closed for user root
Aug  5 02:17:01 marlboro-LIFEBOOK-A512 CRON[5678]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  5 02:17:01 marlboro-LIFEBOOK-A512 CRON[5678]: pam_unix(cron:session): session closed for user root
Aug  5 02:18:49 marlboro-LIFEBOOK-A512 sshd[5710]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.16.81.89  user=root
Aug  5 02:18:49 marlboro-LIFEBOOK-A512 sshd[5710]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 02:18:49 marlboro-LIFEBOOK-A512 sshd[5710]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 02:18:49 marlboro-LIFEBOOK-A512 sshd[5710]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 02:18:51 marlboro-LIFEBOOK-A512 sshd[5710]: Failed password for root from 213.16.81.89 port 37588 ssh2
Aug  5 02:18:51 marlboro-LIFEBOOK-A512 sshd[5710]: Connection closed by 213.16.81.89 [preauth]
Aug  5 02:27:36 marlboro-LIFEBOOK-A512 sshd[5808]: Did not receive identification string from 46.149.184.2
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: Invalid user admin from 213.16.81.89
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: input_userauth_request: invalid user admin [preauth]
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: pam_unix(sshd:auth): check pass; user unknown
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.16.81.89 
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 02:27:56 marlboro-LIFEBOOK-A512 sshd[5809]: Failed password for invalid user admin from 213.16.81.89 port 38006 ssh2
Aug  5 02:27:56 marlboro-LIFEBOOK-A512 sshd[5809]: Connection closed by 213.16.81.89 [preauth]
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: Invalid user ubnt from 213.16.81.89
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: input_userauth_request: invalid user ubnt [preauth]
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: pam_unix(sshd:auth): check pass; user unknown
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.16.81.89 
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 02:37:52 marlboro-LIFEBOOK-A512 sshd[5952]: Failed password for invalid user ubnt from 213.16.81.89 port 38426 ssh2
Aug  5 02:37:53 marlboro-LIFEBOOK-A512 sshd[5952]: Connection closed by 213.16.81.89 [preauth]
Aug  5 02:39:01 marlboro-LIFEBOOK-A512 CRON[5958]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  5 02:39:02 marlboro-LIFEBOOK-A512 CRON[5958]: pam_unix(cron:session): session closed for user root
Aug  5 02:52:41 marlboro-LIFEBOOK-A512 sshd[6320]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=tun-46-149-184-2.kim.in.ua  user=root
Aug  5 02:52:41 marlboro-LIFEBOOK-A512 sshd[6320]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 02:52:41 marlboro-LIFEBOOK-A512 sshd[6320]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 02:52:41 marlboro-LIFEBOOK-A512 sshd[6320]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 02:52:44 marlboro-LIFEBOOK-A512 sshd[6320]: Failed password for root from 46.149.184.2 port 39299 ssh2
Aug  5 02:52:44 marlboro-LIFEBOOK-A512 sshd[6320]: Connection closed by 46.149.184.2 [preauth]

altro del server:

Codice: Seleziona tutto

Aug  4 23:16:40 serverone979 sshd[15866]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:40 serverone979 sshd[15866]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:40 serverone979 sshd[15866]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:16:42 serverone979 sshd[15866]: Failed password for www-data from 213.184.127.148 port 58012 ssh2
Aug  4 23:16:42 serverone979 sshd[15866]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:44 serverone979 sshd[15868]: Invalid user website2 from 213.184.127.148
Aug  4 23:16:44 serverone979 sshd[15868]: input_userauth_request: invalid user website2 [preauth]
Aug  4 23:16:44 serverone979 sshd[15868]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:16:44 serverone979 sshd[15868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:16:44 serverone979 sshd[15868]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:44 serverone979 sshd[15868]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:46 serverone979 sshd[15868]: Failed password for invalid user website2 from 213.184.127.148 port 58570 ssh2
Aug  4 23:16:46 serverone979 sshd[15868]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:47 serverone979 sshd[15870]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:16:47 serverone979 sshd[15870]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:47 serverone979 sshd[15870]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:47 serverone979 sshd[15870]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:16:49 serverone979 sshd[15870]: Failed password for www-data from 213.184.127.148 port 59227 ssh2
Aug  4 23:16:49 serverone979 sshd[15870]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:52 serverone979 sshd[15872]: Invalid user website from 213.184.127.148
Aug  4 23:16:52 serverone979 sshd[15872]: input_userauth_request: invalid user website [preauth]
Aug  4 23:16:52 serverone979 sshd[15872]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:16:52 serverone979 sshd[15872]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:16:52 serverone979 sshd[15872]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:52 serverone979 sshd[15872]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:53 serverone979 sshd[15872]: Failed password for invalid user website from 213.184.127.148 port 59949 ssh2
Aug  4 23:16:53 serverone979 sshd[15872]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:55 serverone979 sshd[15874]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:16:55 serverone979 sshd[15874]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:55 serverone979 sshd[15874]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:55 serverone979 sshd[15874]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:16:57 serverone979 sshd[15874]: Failed password for www-data from 213.184.127.148 port 60502 ssh2
Aug  4 23:16:57 serverone979 sshd[15874]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:59 serverone979 sshd[15876]: Invalid user webs from 213.184.127.148
Aug  4 23:16:59 serverone979 sshd[15876]: input_userauth_request: invalid user webs [preauth]
Aug  4 23:16:59 serverone979 sshd[15876]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:16:59 serverone979 sshd[15876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:16:59 serverone979 sshd[15876]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:59 serverone979 sshd[15876]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:01 serverone979 sshd[15876]: Failed password for invalid user webs from 213.184.127.148 port 32949 ssh2
Aug  4 23:17:01 serverone979 sshd[15876]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:01 serverone979 CRON[15884]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  4 23:17:01 serverone979 CRON[15885]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  4 23:17:01 serverone979 CRON[15885]: pam_unix(cron:session): session closed for user root
Aug  4 23:17:02 serverone979 CRON[15884]: pam_unix(cron:session): session closed for user root
Aug  4 23:17:02 serverone979 sshd[15880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:02 serverone979 sshd[15880]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:02 serverone979 sshd[15880]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:02 serverone979 sshd[15880]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:05 serverone979 sshd[15880]: Failed password for www-data from 213.184.127.148 port 33582 ssh2
Aug  4 23:17:05 serverone979 sshd[15880]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:06 serverone979 sshd[15882]: Invalid user webupload from 213.184.127.148
Aug  4 23:17:06 serverone979 sshd[15882]: input_userauth_request: invalid user webupload [preauth]
Aug  4 23:17:06 serverone979 sshd[15882]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:06 serverone979 sshd[15882]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:06 serverone979 sshd[15882]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:06 serverone979 sshd[15882]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:08 serverone979 sshd[15882]: Failed password for invalid user webupload from 213.184.127.148 port 34237 ssh2
Aug  4 23:17:08 serverone979 sshd[15882]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:10 serverone979 sshd[15932]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:10 serverone979 sshd[15932]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:10 serverone979 sshd[15932]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:10 serverone979 sshd[15932]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:12 serverone979 sshd[15932]: Failed password for www-data from 213.184.127.148 port 34938 ssh2
Aug  4 23:17:12 serverone979 sshd[15932]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:14 serverone979 sshd[15936]: Invalid user web-users from 213.184.127.148
Aug  4 23:17:14 serverone979 sshd[15936]: input_userauth_request: invalid user web-users [preauth]
Aug  4 23:17:14 serverone979 sshd[15936]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:14 serverone979 sshd[15936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:14 serverone979 sshd[15936]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:14 serverone979 sshd[15936]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:16 serverone979 sshd[15936]: Failed password for invalid user web-users from 213.184.127.148 port 35579 ssh2
Aug  4 23:17:16 serverone979 sshd[15936]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:17 serverone979 sshd[15938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:17 serverone979 sshd[15938]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:17 serverone979 sshd[15938]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:17 serverone979 sshd[15938]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:19 serverone979 sshd[15938]: Failed password for www-data from 213.184.127.148 port 36187 ssh2
Aug  4 23:17:19 serverone979 sshd[15938]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:21 serverone979 sshd[15940]: Invalid user web-user from 213.184.127.148
Aug  4 23:17:21 serverone979 sshd[15940]: input_userauth_request: invalid user web-user [preauth]
Aug  4 23:17:21 serverone979 sshd[15940]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:21 serverone979 sshd[15940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:21 serverone979 sshd[15940]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:21 serverone979 sshd[15940]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:24 serverone979 sshd[15940]: Failed password for invalid user web-user from 213.184.127.148 port 36943 ssh2
Aug  4 23:17:24 serverone979 sshd[15940]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:24 serverone979 sshd[15943]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:24 serverone979 sshd[15943]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:24 serverone979 sshd[15943]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:24 serverone979 sshd[15943]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:26 serverone979 sshd[15943]: Failed password for www-data from 213.184.127.148 port 37460 ssh2
Aug  4 23:17:26 serverone979 sshd[15943]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:30 serverone979 sshd[15945]: Invalid user webuser from 213.184.127.148
Aug  4 23:17:30 serverone979 sshd[15945]: input_userauth_request: invalid user webuser [preauth]
Aug  4 23:17:30 serverone979 sshd[15945]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:30 serverone979 sshd[15945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:30 serverone979 sshd[15945]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:30 serverone979 sshd[15945]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:31 serverone979 sshd[15945]: Failed password for invalid user webuser from 213.184.127.148 port 38364 ssh2
Aug  4 23:17:31 serverone979 sshd[15945]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:31 serverone979 sshd[15947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:31 serverone979 sshd[15947]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:31 serverone979 sshd[15947]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:31 serverone979 sshd[15947]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:33 serverone979 sshd[15947]: Failed password for www-data from 213.184.127.148 port 38680 ssh2
Aug  4 23:17:33 serverone979 sshd[15947]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:37 serverone979 sshd[15949]: Invalid user webuser from 213.184.127.148
Aug  4 23:17:37 serverone979 sshd[15949]: input_userauth_request: invalid user webuser [preauth]
Aug  4 23:17:37 serverone979 sshd[15949]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:37 serverone979 sshd[15949]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:37 serverone979 sshd[15949]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:37 serverone979 sshd[15949]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:39 serverone979 sshd[15949]: Failed password for invalid user webuser from 213.184.127.148 port 39623 ssh2
Aug  4 23:17:39 serverone979 sshd[15951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:39 serverone979 sshd[15951]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:39 serverone979 sshd[15951]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:39 serverone979 sshd[15951]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:39 serverone979 sshd[15949]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:41 serverone979 sshd[15951]: Failed password for www-data from 213.184.127.148 port 39988 ssh2
Aug  4 23:17:41 serverone979 sshd[15951]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:45 serverone979 sshd[15953]: Invalid user web from 213.184.127.148
Aug  4 23:17:45 serverone979 sshd[15953]: input_userauth_request: invalid user web [preauth]
Aug  4 23:17:45 serverone979 sshd[15953]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:45 serverone979 sshd[15953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:45 serverone979 sshd[15953]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:45 serverone979 sshd[15953]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:47 serverone979 sshd[15955]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:47 serverone979 sshd[15955]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:47 serverone979 sshd[15955]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:47 serverone979 sshd[15955]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:47 serverone979 sshd[15953]: Failed password for invalid user web from 213.184.127.148 port 40951 ssh2
Aug  4 23:17:47 serverone979 sshd[15953]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:48 serverone979 sshd[15955]: Failed password for www-data from 213.184.127.148 port 41292 ssh2
Aug  4 23:17:48 serverone979 sshd[15955]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:52 serverone979 sshd[15957]: Invalid user web from 213.184.127.148
Aug  4 23:17:52 serverone979 sshd[15957]: input_userauth_request: invalid user web [preauth]
Aug  4 23:17:52 serverone979 sshd[15957]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:52 serverone979 sshd[15957]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:52 serverone979 sshd[15957]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:52 serverone979 sshd[15957]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:54 serverone979 sshd[15959]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:54 serverone979 sshd[15959]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:54 serverone979 sshd[15959]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:54 serverone979 sshd[15959]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:54 serverone979 sshd[15957]: Failed password for invalid user web from 213.184.127.148 port 42286 ssh2
Aug  4 23:17:54 serverone979 sshd[15957]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:55 serverone979 sshd[15959]: Failed password for www-data from 213.184.127.148 port 42547 ssh2
Aug  4 23:17:55 serverone979 sshd[15959]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:18:00 serverone979 sshd[15963]: Invalid user wizard from 213.184.127.148
Aug  4 23:18:00 serverone979 sshd[15963]: input_userauth_request: invalid user wizard [preauth]
Aug  4 23:18:00 serverone979 sshd[15963]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:18:00 serverone979 sshd[15963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 

ma è normale... ???

[marlboro]

[Wilson]

Appena metti un ssh raggiungibile da internet appaiono quel tentativi, mi sa che ci sono intere netbot che fanno questi tentativi puramente a caso, finendo per scandire tutti gli IP ogni poco tempo.

[shouldes]

ho guardato i log del pc e del server...devo dire sono entrambi pieni di tentavi di accesso da ssh con nome root...per fortuna per il momento hanno sempre sbagliato...password,ma ho notato che non provano solo root utente,ho letto anche admin o nagios...boo non sono un esperto ma credo che stanno proprio provando...sempre che siano le stesse persone a provarci...

un pezzo log del pc:

Codice: Seleziona tutto

Aug  5 01:20:26 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 01:20:26 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 01:20:26 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 01:20:27 marlboro-LIFEBOOK-A512 sshd[3618]: Failed password for root from 218.87.111.116 port 36351 ssh2
Aug  5 01:20:28 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 01:20:28 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 01:20:28 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 01:20:30 marlboro-LIFEBOOK-A512 sshd[3618]: Failed password for root from 218.87.111.116 port 36351 ssh2
Aug  5 01:20:31 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 01:20:31 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 01:20:31 marlboro-LIFEBOOK-A512 sshd[3618]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 01:20:33 marlboro-LIFEBOOK-A512 sshd[3618]: Failed password for root from 218.87.111.116 port 36351 ssh2
Aug  5 01:20:37 marlboro-LIFEBOOK-A512 sshd[3618]: Received disconnect from 218.87.111.116: 11:  [preauth]
Aug  5 01:20:37 marlboro-LIFEBOOK-A512 sshd[3618]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.87.111.116  user=root
Aug  5 01:39:01 marlboro-LIFEBOOK-A512 CRON[5132]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  5 01:39:01 marlboro-LIFEBOOK-A512 CRON[5132]: pam_unix(cron:session): session closed for user root
Aug  5 01:53:53 marlboro-LIFEBOOK-A512 sshd[5488]: Did not receive identification string from 213.16.81.89
Aug  5 02:09:01 marlboro-LIFEBOOK-A512 CRON[5624]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  5 02:09:01 marlboro-LIFEBOOK-A512 CRON[5624]: pam_unix(cron:session): session closed for user root
Aug  5 02:17:01 marlboro-LIFEBOOK-A512 CRON[5678]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  5 02:17:01 marlboro-LIFEBOOK-A512 CRON[5678]: pam_unix(cron:session): session closed for user root
Aug  5 02:18:49 marlboro-LIFEBOOK-A512 sshd[5710]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.16.81.89  user=root
Aug  5 02:18:49 marlboro-LIFEBOOK-A512 sshd[5710]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 02:18:49 marlboro-LIFEBOOK-A512 sshd[5710]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 02:18:49 marlboro-LIFEBOOK-A512 sshd[5710]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 02:18:51 marlboro-LIFEBOOK-A512 sshd[5710]: Failed password for root from 213.16.81.89 port 37588 ssh2
Aug  5 02:18:51 marlboro-LIFEBOOK-A512 sshd[5710]: Connection closed by 213.16.81.89 [preauth]
Aug  5 02:27:36 marlboro-LIFEBOOK-A512 sshd[5808]: Did not receive identification string from 46.149.184.2
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: Invalid user admin from 213.16.81.89
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: input_userauth_request: invalid user admin [preauth]
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: pam_unix(sshd:auth): check pass; user unknown
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.16.81.89 
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 02:27:54 marlboro-LIFEBOOK-A512 sshd[5809]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 02:27:56 marlboro-LIFEBOOK-A512 sshd[5809]: Failed password for invalid user admin from 213.16.81.89 port 38006 ssh2
Aug  5 02:27:56 marlboro-LIFEBOOK-A512 sshd[5809]: Connection closed by 213.16.81.89 [preauth]
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: Invalid user ubnt from 213.16.81.89
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: input_userauth_request: invalid user ubnt [preauth]
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: pam_unix(sshd:auth): check pass; user unknown
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.16.81.89 
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 02:37:50 marlboro-LIFEBOOK-A512 sshd[5952]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 02:37:52 marlboro-LIFEBOOK-A512 sshd[5952]: Failed password for invalid user ubnt from 213.16.81.89 port 38426 ssh2
Aug  5 02:37:53 marlboro-LIFEBOOK-A512 sshd[5952]: Connection closed by 213.16.81.89 [preauth]
Aug  5 02:39:01 marlboro-LIFEBOOK-A512 CRON[5958]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  5 02:39:02 marlboro-LIFEBOOK-A512 CRON[5958]: pam_unix(cron:session): session closed for user root
Aug  5 02:52:41 marlboro-LIFEBOOK-A512 sshd[6320]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=tun-46-149-184-2.kim.in.ua  user=root
Aug  5 02:52:41 marlboro-LIFEBOOK-A512 sshd[6320]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  5 02:52:41 marlboro-LIFEBOOK-A512 sshd[6320]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  5 02:52:41 marlboro-LIFEBOOK-A512 sshd[6320]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  5 02:52:44 marlboro-LIFEBOOK-A512 sshd[6320]: Failed password for root from 46.149.184.2 port 39299 ssh2
Aug  5 02:52:44 marlboro-LIFEBOOK-A512 sshd[6320]: Connection closed by 46.149.184.2 [preauth]

altro del server:

Codice: Seleziona tutto

Aug  4 23:16:40 serverone979 sshd[15866]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:40 serverone979 sshd[15866]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:40 serverone979 sshd[15866]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:16:42 serverone979 sshd[15866]: Failed password for www-data from 213.184.127.148 port 58012 ssh2
Aug  4 23:16:42 serverone979 sshd[15866]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:44 serverone979 sshd[15868]: Invalid user website2 from 213.184.127.148
Aug  4 23:16:44 serverone979 sshd[15868]: input_userauth_request: invalid user website2 [preauth]
Aug  4 23:16:44 serverone979 sshd[15868]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:16:44 serverone979 sshd[15868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:16:44 serverone979 sshd[15868]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:44 serverone979 sshd[15868]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:46 serverone979 sshd[15868]: Failed password for invalid user website2 from 213.184.127.148 port 58570 ssh2
Aug  4 23:16:46 serverone979 sshd[15868]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:47 serverone979 sshd[15870]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:16:47 serverone979 sshd[15870]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:47 serverone979 sshd[15870]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:47 serverone979 sshd[15870]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:16:49 serverone979 sshd[15870]: Failed password for www-data from 213.184.127.148 port 59227 ssh2
Aug  4 23:16:49 serverone979 sshd[15870]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:52 serverone979 sshd[15872]: Invalid user website from 213.184.127.148
Aug  4 23:16:52 serverone979 sshd[15872]: input_userauth_request: invalid user website [preauth]
Aug  4 23:16:52 serverone979 sshd[15872]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:16:52 serverone979 sshd[15872]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:16:52 serverone979 sshd[15872]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:52 serverone979 sshd[15872]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:53 serverone979 sshd[15872]: Failed password for invalid user website from 213.184.127.148 port 59949 ssh2
Aug  4 23:16:53 serverone979 sshd[15872]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:55 serverone979 sshd[15874]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:16:55 serverone979 sshd[15874]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:55 serverone979 sshd[15874]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:16:55 serverone979 sshd[15874]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:16:57 serverone979 sshd[15874]: Failed password for www-data from 213.184.127.148 port 60502 ssh2
Aug  4 23:16:57 serverone979 sshd[15874]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:16:59 serverone979 sshd[15876]: Invalid user webs from 213.184.127.148
Aug  4 23:16:59 serverone979 sshd[15876]: input_userauth_request: invalid user webs [preauth]
Aug  4 23:16:59 serverone979 sshd[15876]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:16:59 serverone979 sshd[15876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:16:59 serverone979 sshd[15876]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:16:59 serverone979 sshd[15876]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:01 serverone979 sshd[15876]: Failed password for invalid user webs from 213.184.127.148 port 32949 ssh2
Aug  4 23:17:01 serverone979 sshd[15876]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:01 serverone979 CRON[15884]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  4 23:17:01 serverone979 CRON[15885]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug  4 23:17:01 serverone979 CRON[15885]: pam_unix(cron:session): session closed for user root
Aug  4 23:17:02 serverone979 CRON[15884]: pam_unix(cron:session): session closed for user root
Aug  4 23:17:02 serverone979 sshd[15880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:02 serverone979 sshd[15880]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:02 serverone979 sshd[15880]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:02 serverone979 sshd[15880]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:05 serverone979 sshd[15880]: Failed password for www-data from 213.184.127.148 port 33582 ssh2
Aug  4 23:17:05 serverone979 sshd[15880]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:06 serverone979 sshd[15882]: Invalid user webupload from 213.184.127.148
Aug  4 23:17:06 serverone979 sshd[15882]: input_userauth_request: invalid user webupload [preauth]
Aug  4 23:17:06 serverone979 sshd[15882]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:06 serverone979 sshd[15882]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:06 serverone979 sshd[15882]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:06 serverone979 sshd[15882]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:08 serverone979 sshd[15882]: Failed password for invalid user webupload from 213.184.127.148 port 34237 ssh2
Aug  4 23:17:08 serverone979 sshd[15882]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:10 serverone979 sshd[15932]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:10 serverone979 sshd[15932]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:10 serverone979 sshd[15932]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:10 serverone979 sshd[15932]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:12 serverone979 sshd[15932]: Failed password for www-data from 213.184.127.148 port 34938 ssh2
Aug  4 23:17:12 serverone979 sshd[15932]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:14 serverone979 sshd[15936]: Invalid user web-users from 213.184.127.148
Aug  4 23:17:14 serverone979 sshd[15936]: input_userauth_request: invalid user web-users [preauth]
Aug  4 23:17:14 serverone979 sshd[15936]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:14 serverone979 sshd[15936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:14 serverone979 sshd[15936]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:14 serverone979 sshd[15936]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:16 serverone979 sshd[15936]: Failed password for invalid user web-users from 213.184.127.148 port 35579 ssh2
Aug  4 23:17:16 serverone979 sshd[15936]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:17 serverone979 sshd[15938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:17 serverone979 sshd[15938]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:17 serverone979 sshd[15938]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:17 serverone979 sshd[15938]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:19 serverone979 sshd[15938]: Failed password for www-data from 213.184.127.148 port 36187 ssh2
Aug  4 23:17:19 serverone979 sshd[15938]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:21 serverone979 sshd[15940]: Invalid user web-user from 213.184.127.148
Aug  4 23:17:21 serverone979 sshd[15940]: input_userauth_request: invalid user web-user [preauth]
Aug  4 23:17:21 serverone979 sshd[15940]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:21 serverone979 sshd[15940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:21 serverone979 sshd[15940]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:21 serverone979 sshd[15940]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:24 serverone979 sshd[15940]: Failed password for invalid user web-user from 213.184.127.148 port 36943 ssh2
Aug  4 23:17:24 serverone979 sshd[15940]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:24 serverone979 sshd[15943]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:24 serverone979 sshd[15943]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:24 serverone979 sshd[15943]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:24 serverone979 sshd[15943]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:26 serverone979 sshd[15943]: Failed password for www-data from 213.184.127.148 port 37460 ssh2
Aug  4 23:17:26 serverone979 sshd[15943]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:30 serverone979 sshd[15945]: Invalid user webuser from 213.184.127.148
Aug  4 23:17:30 serverone979 sshd[15945]: input_userauth_request: invalid user webuser [preauth]
Aug  4 23:17:30 serverone979 sshd[15945]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:30 serverone979 sshd[15945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:30 serverone979 sshd[15945]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:30 serverone979 sshd[15945]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:31 serverone979 sshd[15945]: Failed password for invalid user webuser from 213.184.127.148 port 38364 ssh2
Aug  4 23:17:31 serverone979 sshd[15945]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:31 serverone979 sshd[15947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:31 serverone979 sshd[15947]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:31 serverone979 sshd[15947]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:31 serverone979 sshd[15947]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:33 serverone979 sshd[15947]: Failed password for www-data from 213.184.127.148 port 38680 ssh2
Aug  4 23:17:33 serverone979 sshd[15947]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:37 serverone979 sshd[15949]: Invalid user webuser from 213.184.127.148
Aug  4 23:17:37 serverone979 sshd[15949]: input_userauth_request: invalid user webuser [preauth]
Aug  4 23:17:37 serverone979 sshd[15949]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:37 serverone979 sshd[15949]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:37 serverone979 sshd[15949]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:37 serverone979 sshd[15949]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:39 serverone979 sshd[15949]: Failed password for invalid user webuser from 213.184.127.148 port 39623 ssh2
Aug  4 23:17:39 serverone979 sshd[15951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:39 serverone979 sshd[15951]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:39 serverone979 sshd[15951]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:39 serverone979 sshd[15951]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:39 serverone979 sshd[15949]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:41 serverone979 sshd[15951]: Failed password for www-data from 213.184.127.148 port 39988 ssh2
Aug  4 23:17:41 serverone979 sshd[15951]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:45 serverone979 sshd[15953]: Invalid user web from 213.184.127.148
Aug  4 23:17:45 serverone979 sshd[15953]: input_userauth_request: invalid user web [preauth]
Aug  4 23:17:45 serverone979 sshd[15953]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:45 serverone979 sshd[15953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:45 serverone979 sshd[15953]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:45 serverone979 sshd[15953]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:47 serverone979 sshd[15955]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:47 serverone979 sshd[15955]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:47 serverone979 sshd[15955]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:47 serverone979 sshd[15955]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:47 serverone979 sshd[15953]: Failed password for invalid user web from 213.184.127.148 port 40951 ssh2
Aug  4 23:17:47 serverone979 sshd[15953]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:48 serverone979 sshd[15955]: Failed password for www-data from 213.184.127.148 port 41292 ssh2
Aug  4 23:17:48 serverone979 sshd[15955]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:52 serverone979 sshd[15957]: Invalid user web from 213.184.127.148
Aug  4 23:17:52 serverone979 sshd[15957]: input_userauth_request: invalid user web [preauth]
Aug  4 23:17:52 serverone979 sshd[15957]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:17:52 serverone979 sshd[15957]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 
Aug  4 23:17:52 serverone979 sshd[15957]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:52 serverone979 sshd[15957]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:54 serverone979 sshd[15959]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148  user=www-data
Aug  4 23:17:54 serverone979 sshd[15959]: pam_winbind(sshd:auth): getting password (0x00000388)
Aug  4 23:17:54 serverone979 sshd[15959]: pam_winbind(sshd:auth): pam_get_item returned a password
Aug  4 23:17:54 serverone979 sshd[15959]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug  4 23:17:54 serverone979 sshd[15957]: Failed password for invalid user web from 213.184.127.148 port 42286 ssh2
Aug  4 23:17:54 serverone979 sshd[15957]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:17:55 serverone979 sshd[15959]: Failed password for www-data from 213.184.127.148 port 42547 ssh2
Aug  4 23:17:55 serverone979 sshd[15959]: Received disconnect from 213.184.127.148: 11: Bye Bye [preauth]
Aug  4 23:18:00 serverone979 sshd[15963]: Invalid user wizard from 213.184.127.148
Aug  4 23:18:00 serverone979 sshd[15963]: input_userauth_request: invalid user wizard [preauth]
Aug  4 23:18:00 serverone979 sshd[15963]: pam_unix(sshd:auth): check pass; user unknown
Aug  4 23:18:00 serverone979 sshd[15963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.184.127.148 

ma è normale... ???

admin credo sia mirato come attacco alla maggior parte dei router.
Ormai con porta USB e server ssh sono molto comuni.

[marlboro]

Comunque controllando qualche ip ci sono anche sto cinesi ..

[TommyB1992]

Ragazzi ma se io volessi aggiungere qualche riga mia per permettere un tentativo di login ogni 30secondi (così per evitare brute force) dove trovo le directory e i files per la gestione del protocollo?

[shouldes]

Ragazzi ma se io volessi aggiungere qualche riga mia per permettere un tentativo di login ogni 30secondi (così per evitare brute force) dove trovo le directory e i files per la gestione del protocollo?

Ho accennato tramite configurazione Iptables una cosa simile (in pratica ho spiegato cosa fare, qualche post indietro), ma se devi configurare un sistema apri una discussione e chiedi supporto.

[iononsbalgiomai]

La domanda che si pone adesso è "come l'ha preso questo utente"? Perché stando alle sue dichiarazioni non aveva né server SSH né utente root.

Potrebbe trattarsi di una variante, un'evoluzione del sistema d'attacco di XOR.DDoS che sfrutta altre strade per penetrare nel sistema.
Dato che l'utente ha formattato e quindi non abbiamo modo di esaminare i log di sistema non possiamo sapere come abbia subito l'attacco, amesso ne abbia subito uno e che il malware non si sia insediato mediante un'altra tattica.

[steff]

Mi intendo poco omeno di reti, ma potrebbe essere possibile prenderlo tramite un router infetto?

[shouldes]

Mi intendo poco omeno di reti, ma potrebbe essere possibile prenderlo tramite un router infetto?

Le ultime infezioni prendono di mira i router per poi infettare tutti i dispositivi "Linux" della rete.
Quindi si, magari pensare ad un riavvio giornaliero del router per liberarsi dal malware volatile è diventata una buona idea.

[sbubba]

Mi intendo poco omeno di reti, ma potrebbe essere possibile prenderlo tramite un router infetto?

Come funzionerebbe? Firmware bucato, entrano cani e porci che installano il malware? Ma come fanno senza permessi di root?

[spak]

Mi intendo poco omeno di reti, ma potrebbe essere possibile prenderlo tramite un router infetto?

Le ultime infezioni prendono di mira i router per poi infettare tutti i dispositivi "Linux" della rete.
Quindi si, magari pensare ad un riavvio giornaliero del router per liberarsi dal malware volatile è diventata una buona idea.

E qui sarebbe da aprire una discussione sui modem router ADSL e gli aggiornamenti dei Firmware.
Esempio se acquisto un modem router oggi, ma fra 3 o 5 anni il produttore non fornisce più l'aggiornamento Firmware cosa faccio, devo buttare il modem router, o me lo tengo con tutti i rischi del caso?

[Wilson]

C'è poco da fare: non si può mettere in sicurezza la rete, bisogna mettere in sicurezza ogni singolo dispositivo

[sbubba]

@Wilson: per "ogni singolo dispositivo" intendi computer, cellulare, ecc?
al computer cosa fai per metterlo in sicurezza?

[Wilson]

@Wilson: per "ogni singolo dispositivo" intendi computer, cellulare, ecc?
al computer cosa fai per metterlo in sicurezza?

Lo spengo!

Scherzi a parte, il discorso è tremendamente lungo e di sicuro non sono neppure qualificato per farlo (da un certo punto di vista non lo sono neppure i professionisti...), però quello che volevo dire è che bisogna considerare la lan domestica come ostile, come se fosse il wifi gratuito del peggior bar di Cybercaracas.

Per il resto le solite cose: pochi servizi esposti (non importa se a internet o solo il locale), passwd robuste, nessuna passwd di root, nessun permesso particolare (e nessun info sensibile) ai dispositivi su cui riesci a far meno (come i router e nel mio caso pure il serverino che mi fa da videoregistratore e webserver), aggiornamenti di sicurezza automatici, possibilmente cifrare anche le comunicazioni locali (meno samba o nfs e più ssh, e coi certificati)...

Poi non è che sia inutile mettere un minimo di filtro tra la lan e internet, visto che il grosso degli attacchi arriverà da lì, però non bisogna credere che sia una soluzione, si tratta solo di scremare il grosso.

[TommyB1992]

Ragazzi ma se io volessi aggiungere qualche riga mia per permettere un tentativo di login ogni 30secondi (così per evitare brute force) dove trovo le directory e i files per la gestione del protocollo?

Ho accennato tramite configurazione Iptables una cosa simile (in pratica ho spiegato cosa fare, qualche post indietro), ma se devi configurare un sistema apri una discussione e chiedi supporto.

Si ma non c'ho capito molto... Tento, se non riesco eventualmente posso disturbarti tramite pm tecnico?

@Wilson: per "ogni singolo dispositivo" intendi computer, cellulare, ecc?
al computer cosa fai per metterlo in sicurezza?

Lo spengo!

E' una citazione a kevin mitnick?

[shouldes]

Ragazzi ma se io volessi aggiungere qualche riga mia per permettere un tentativo di login ogni 30secondi (così per evitare brute force) dove trovo le directory e i files per la gestione del protocollo?

Ho accennato tramite configurazione Iptables una cosa simile (in pratica ho spiegato cosa fare, qualche post indietro), ma se devi configurare un sistema apri una discussione e chiedi supporto.

Si ma non c'ho capito molto... Tento, se non riesco eventualmente posso disturbarti tramite pm tecnico?

@Wilson: per "ogni singolo dispositivo" intendi computer, cellulare, ecc?
al computer cosa fai per metterlo in sicurezza?

Lo spengo!

E' una citazione a kevin mitnick?

Dare supporto privato è vietato da regolamento.
Basta che non ti metti ad usare interfacce grafiche strane dove non si capisce che diavolo fanno, una mano potrei anche dartela, se sono in grado (in una discussione pubblica).

[seven speed]

ho letto solo le prime pagine di topic, vorrei porvi quindi una domanda, da inesperto: ma per esserne immune è sufficiente avere la porta 22? io le ho tutte chiuse avendo il firewall (ufw) attivato di default, all'avvio del pc.