#1  
Old 16th March 2008, 19:45
Musty Musty is offline
Member
 
Join Date: Mar 2008
Location: Morocco
Posts: 38
Thanks: 3
Thanked 3 Times in 3 Posts
Default Hacking attempt?

Hey guys,
My automatic logwatch email showed the following message :

Code:
 --------------------- pam_unix Begin ------------------------ 

 gdm:
    Authentication Failures:
        rhost= : 1 Time(s)
    Unknown Entries:
       check pass; user unknown: 1 Time(s)
 
 sshd:
    Authentication Failures:
       unknown (www.e-hainyo.jp): 110 Time(s)
       root (211.189.69.21): 31 Time(s)
       root (www.e-hainyo.jp): 15 Time(s)
       adm (www.e-hainyo.jp): 1 Time(s)
       apache (www.e-hainyo.jp): 1 Time(s)
       bin (www.e-hainyo.jp): 1 Time(s)
       daemon (www.e-hainyo.jp): 1 Time(s)
       ftp (www.e-hainyo.jp): 1 Time(s)
       games (www.e-hainyo.jp): 1 Time(s)
       halt (www.e-hainyo.jp): 1 Time(s)
       lp (www.e-hainyo.jp): 1 Time(s)
       mail (www.e-hainyo.jp): 1 Time(s)
       mysql (www.e-hainyo.jp): 1 Time(s)
       named (www.e-hainyo.jp): 1 Time(s)
       news (www.e-hainyo.jp): 1 Time(s)
       nobody (www.e-hainyo.jp): 1 Time(s)
       operator (www.e-hainyo.jp): 1 Time(s)
       postgres (www.e-hainyo.jp): 1 Time(s)
       rpm (www.e-hainyo.jp): 1 Time(s)
       shutdown (www.e-hainyo.jp): 1 Time(s)
       smmsp (www.e-hainyo.jp): 1 Time(s)
       sshd (www.e-hainyo.jp): 1 Time(s)
       sync (www.e-hainyo.jp): 1 Time(s)
       tomcat (www.e-hainyo.jp): 1 Time(s)
       uucp (www.e-hainyo.jp): 1 Time(s)
    Invalid Users:
       Unknown Account: 110 Time(s)
 
 su:
    Sessions Opened:
       (uid=0) -> root: 4 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 

 
 --------------------- Connections (secure-log) Begin ------------------------ 

 
 **Unmatched Entries**
    webmin: Successful login as root from 192.168.2.222 : 1 Time(s)
    webmin: Timeout of session for root : 1 Time(s)
    webmin: Webmin starting : 2 Time(s)
 
 ---------------------- Connections (secure-log) End ------------------------- 

 
 --------------------- SSHD Begin ------------------------ 

 
 SSHD Killed: 2 Time(s)
 
 SSHD Started: 2 Time(s)
 
 Failed logins from:
    203.152.217.208: 37 times
    211.189.69.21: 31 times
 
 Illegal users from:
    203.152.217.208: 110 times
 
 
 Received disconnect:
    11: Bye Bye : 176 Time(s)
 
 ---------------------- SSHD End -------------------------
Does this meant a hacking attempt? I performed a whois on the IPs above and found out this :

Code:
inetnum:      203.152.192.0 - 203.152.223.255
netname:      INTERLINK
descr:        INTERLINK Co.,LTD
descr:        Sunshine60-35F 3-1-1 Higashi-ikebukuro
descr:        Toshima-city Tokyo 170-6035 Japan
country:      JP
admin-c:      JNIC1-AP
tech-c:       JNIC1-AP
status:       ALLOCATED PORTABLE
remarks:      Email address for spam or abuse complaints : 
mnt-by:       MAINT-JPNIC
mnt-lower:    MAINT-JPNIC
changed:       20050804
changed:       20070913
source:       APNIC

role:         Japan Network Information Center
address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address:      Chiyoda-ku, Tokyo 101-0047, Japan
country:      JP
phone:        +81-3-5297-2311
fax-no:       +81-3-5297-2312
e-mail:       
admin-c:      JI13-AP
tech-c:       JE53-AP
nic-hdl:      JNIC1-AP
mnt-by:       MAINT-JPNIC
changed:       20041222
changed:       20050324
changed:       20051027
source:       APNIC

inetnum:      203.152.217.192 - 203.152.217.223
netname:      IOSYSTEM
descr:        IO SYSTEM Co., Ltd.
country:      JP
admin-c:      JP00006345
tech-c:       JP00006354
remarks:      This information has been partially mirrored by APNIC from
remarks:      JPNIC. To obtain more specific information, please use the
remarks:      JPNIC WHOIS Gateway at
remarks:      http://www.nic.ad.jp/en/db/whois/en-gateway.html or
remarks:      whois.nic.ad.jp for WHOIS client. (The WHOIS client
remarks:      defaults to Japanese output, use the /e switch for English
remarks:      output)
changed:       20070510
source:       JPNIC
If this is really a hacking attempt, how can I protect myself. I have just enabled Selinux and need to reboot for the change to take effect.

Thanks,
__________________
Computers are like air conditioners, they stop working properly if you open Windows.
Reply With Quote
Sponsored Links
  #2  
Old 17th March 2008, 02:30
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

You should try fail2ban and or denyhosts.
Reply With Quote
  #3  
Old 17th March 2008, 04:40
zcworld zcworld is offline
Senior Member
 
Join Date: Jul 2006
Location: South Australia
Posts: 329
Thanks: 2
Thanked 37 Times in 37 Posts
Send a message via MSN to zcworld Send a message via Skype™ to zcworld
Default

lol
welcome to the world of SSH hacking

i had a log like 1 MB of ssh hits on my test box
but i changed the ssh port over to 222 or something else and it almost droped to nothing
__________________
Shane Ebert :: Facebok
Reply With Quote
  #4  
Old 17th March 2008, 11:08
Leszek Leszek is offline
Senior Member
 
Join Date: Nov 2006
Location: Poland,Włocławek
Posts: 369
Thanks: 22
Thanked 42 Times in 35 Posts
Send a message via Skype™ to Leszek
Default

Disabling remote root logins is a must to.
Reply With Quote
  #5  
Old 17th March 2008, 18:20
Musty Musty is offline
Member
 
Join Date: Mar 2008
Location: Morocco
Posts: 38
Thanks: 3
Thanked 3 Times in 3 Posts
Default

Thank you all guys for the info. I am just wondering why this stupid Japanese chimp is trying to access my box! There is nothing of interest anyways, just a personal blog and some futilities. But of course, he needed my password to do that, huh? Well I have changed that to such a difficult one that with Brute Force it would take him 200 years to find out.

I will try those tools and see what they are able to do. Also zcworld, how would I go about changing the port of SSH. What is this SSH anyways? Can I uninstall it?

Finally, I use remote root login within my LAN, is that also unsafe?

Thank you all again for your info
__________________
Computers are like air conditioners, they stop working properly if you open Windows.
Reply With Quote
  #6  
Old 17th March 2008, 18:36
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

I would install fail2ban and denyhost, use strong passwords, maybe change the port also as zcworld suggested, disable remote root logins in your sshd_conf as Leszek suggested.
Their will always be someone trying to get a sneak peek into your system so just make sure you have it secured.
Reply With Quote
The Following User Says Thank You to daveb For This Useful Post:
Musty (17th March 2008)
  #7  
Old 18th March 2008, 02:23
zcworld zcworld is offline
Senior Member
 
Join Date: Jul 2006
Location: South Australia
Posts: 329
Thanks: 2
Thanked 37 Times in 37 Posts
Send a message via MSN to zcworld Send a message via Skype™ to zcworld
 
Default

sshd_config is at /etc/ssh/sshd_config

also there is the rootlogin = yes
change to no

and you may need to add urself to the wheel group if you need to SU up at some later time
__________________
Shane Ebert :: Facebok
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is someone hacking? jtheed Technical 1 15th December 2007 16:17
hacking mail? fordwrench General 1 20th May 2007 11:32
Constant Error: "[client 127.0.0.1] Attempt to serve directory: /var/www/html/" bpmee Server Operation 2 11th December 2006 16:15
Prevent BREAKIN ATTEMPT! IKShadow Installation/Configuration 6 22nd November 2006 22:15
WG311v2 almost working with Edgy (w/o ndiswrapper) need help with the rest caudata Server Operation 11 13th November 2006 20:02


All times are GMT +2. The time now is 02:26.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.