Re: attempts to hack in?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Today (Saturday), I booted up only once, logged in only once as my primary common user, and then a short while ago logged in to an different account with adequate privileges to view the journalctl.  With over 12 hours as a common user, I hoped that searching the journalctl would be simpler.  I hoped!

In today's log, there were at least 148 occurrences of "authentication failure", 41 occurrences of "password check failed", 14 occurrences of "user=root", 27 occurrences of "user (root)", 270 occurrences of "invalid user", 1546 occurrences of "CRYPTO_KEY_USER", and 296 occurrences of "CRYPTO_SESSION".  I saw the following "rhost=" ip addresses:
62.176.5.7
36.250.77.36
5.196.67.128
91.232.157.98
5.101.40.10
91.197.232.103

I saw the following "user=" fields:
root
operator
ftp
mysql
games

I saw the following "invalid user ______ " fields, most followed by "[preauth]":
share
user
docker
vsftpd
arma3server
nagios
PlcmSpIp
samba
cs
csgoserver
ftpuser
osama
admin
monte
pi
monitor
debian
guest
ubnt
osmc
odroid
mobile
ts
steam
0
0000
010101
1111
1234
api
dbadmin
mc
default
git
gpadmin
service
support
sysadmin
telecomadmin
telnet
test
ubnt
user
user1
jboss

> Can y0u show us the full text of some representative messages (perhaps 
> replacing any IP addresses with placeholders for privacy purposes)?

Here are a few relevant journalctl entries:

Jul 01 11:49:52 xxxxxxxxxx audit[10407]: USER_AUTH pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:49:52 xxxxxxxxxx unix_chkpwd[10411]: password check failed for user (root)
Jul 01 11:49:52 xxxxxxxxxx sshd[10407]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 01 11:49:52 xxxxxxxxxx audit[10407]: USER_AUTH pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=36.250.77.36 addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:49:54 xxxxxxxxxx sshd[10407]: Failed password for root from 36.250.77.36 port 51702 ssh2
Jul 01 11:49:54 xxxxxxxxxx audit[10407]: USER_AUTH pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:49:54 xxxxxxxxxx sshd[10407]: Connection closed by 36.250.77.36 port 51702 [preauth]
Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:03:65:34:22:92:2c:17:22:fc:8a:b6:b5:e7:f3:ec:50:c3:62:42:73:ac:a9:70:34:88:dc:7d:a9:89:3f:5c:e9 direction=? spid=10408 suid=74  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=10408 suid=74 rport=51702 laddr=xxxxxxxxxxxxxx lport=xx  exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=? res=success'
Jul 01 11:49:54 xxxxxxxxxx sshd[10407]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.250.77.36  user=root
Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:82:79:d0:65:d5:4a:2b:06:07:dd:ad:07:28:cc:a6:a0:e3:12:12:6a:f1:ae:64:91:d2:b1:68:42:55:f7:77:38 direction=? spid=10407 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:c7:c1:32:3a:be:0f:e3:c2:4a:f3:d3:5b:46:f8:38:93:6a:b7:e1:6b:e4:a0:72:e8:ea:fd:63:89:31:5b:d4:87 direction=? spid=10407 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:77:7e:93:19:a5:60:e0:fa:79:bd:e7:85:ad:e0:b5:8c:b3:fe:6d:9b:e1:a8:9b:a7:45:68:ef:76:dd:a7:f4:f2 direction=? spid=10407 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:03:65:34:22:92:2c:17:22:fc:8a:b6:b5:e7:f3:ec:50:c3:62:42:73:ac:a9:70:34:88:dc:7d:a9:89:3f:5c:e9 direction=? spid=10407 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:54 xxxxxxxxxx audit[10407]: USER_LOGIN pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:49:55 xxxxxxxxxx audit[10413]: CRYPTO_KEY_USER pid=10413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:82:79:d0:65:d5:4a:2b:06:07:dd:ad:07:28:cc:a6:a0:e3:12:12:6a:f1:ae:64:91:d2:b1:68:42:55:f7:77:38 direction=? spid=10413 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:55 xxxxxxxxxx audit[10413]: CRYPTO_KEY_USER pid=10413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:c7:c1:32:3a:be:0f:e3:c2:4a:f3:d3:5b:46:f8:38:93:6a:b7:e1:6b:e4:a0:72:e8:ea:fd:63:89:31:5b:d4:87 direction=? spid=10413 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:55 xxxxxxxxxx audit[10413]: CRYPTO_KEY_USER pid=10413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:77:7e:93:19:a5:60:e0:fa:79:bd:e7:85:ad:e0:b5:8c:b3:fe:6d:9b:e1:a8:9b:a7:45:68:ef:76:dd:a7:f4:f2 direction=? spid=10413 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:55 xxxxxxxxxx audit[10413]: CRYPTO_KEY_USER pid=10413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:03:65:34:22:92:2c:17:22:fc:8a:b6:b5:e7:f3:ec:50:c3:62:42:73:ac:a9:70:34:88:dc:7d:a9:89:3f:5c:e9 direction=? spid=10413 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:49:55 xxxxxxxxxx audit[10412]: CRYPTO_SESSION pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 mac=hmac-sha2-256 pfs=diffie-hellman-group-exchange-sha256 spid=10413 suid=74 rport=9224 laddr=xxxxxxxxxxxxxx lport=xx  exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=? res=success'
Jul 01 11:49:55 xxxxxxxxxx audit[10412]: CRYPTO_SESSION pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-sha2-256 pfs=diffie-hellman-group-exchange-sha256 spid=10413 suid=74 rport=9224 laddr=xxxxxxxxxxxxxx lport=xx  exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=? res=success'
Jul 01 11:49:57 xxxxxxxxxx unix_chkpwd[10414]: password check failed for user (root)
Jul 01 11:49:57 xxxxxxxxxx sshd[10412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.250.77.36  user=root
Jul 01 11:49:57 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=36.250.77.36 addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:49:57 xxxxxxxxxx sshd[10412]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 01 11:49:59 xxxxxxxxxx sshd[10412]: Failed password for root from 36.250.77.36 port 9224 ssh2
Jul 01 11:49:59 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:50:00 xxxxxxxxxx unix_chkpwd[10415]: password check failed for user (root)
Jul 01 11:50:00 xxxxxxxxxx sshd[10412]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 01 11:50:00 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=36.250.77.36 addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:50:02 xxxxxxxxxx sshd[10412]: Failed password for root from 36.250.77.36 port 9224 ssh2
Jul 01 11:50:02 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:50:02 xxxxxxxxxx unix_chkpwd[10416]: password check failed for user (root)
Jul 01 11:50:02 xxxxxxxxxx sshd[10412]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 01 11:50:02 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=36.250.77.36 addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:50:04 xxxxxxxxxx sshd[10412]: Failed password for root from 36.250.77.36 port 9224 ssh2
Jul 01 11:50:04 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed'
Jul 01 11:50:04 xxxxxxxxxx sshd[10412]: Connection closed by 36.250.77.36 port 9224 [preauth]
Jul 01 11:50:04 xxxxxxxxxx audit[10412]: CRYPTO_KEY_USER pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:03:65:34:22:92:2c:17:22:fc:8a:b6:b5:e7:f3:ec:50:c3:62:42:73:ac:a9:70:34:88:dc:7d:a9:89:3f:5c:e9 direction=? spid=10413 suid=74  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Jul 01 11:50:04 xxxxxxxxxx audit[10412]: CRYPTO_KEY_USER pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=10413 suid=74 rport=9224 laddr=xxxxxxxxxxxxxx lport=xx  exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=? res=success'
Jul 01 11:50:04 xxxxxxxxxx sshd[10412]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.250.77.36  user=root

Anything else?

I did use the firewall configuration tool to turn off public ssh.  We'll see what difference that makes Monday.  (I'll be out most of tomorrow.)

thanks,
Bill.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux