Hacking attempt?

Discussion in 'Server Operation' started by Musty, Mar 16, 2008.

  1. Musty

    Musty New Member

    Hey guys,
    My automatic logwatch email showed the following message :

     --------------------- pam_unix Begin ------------------------ 
        Authentication Failures:
            rhost= : 1 Time(s)
        Unknown Entries:
           check pass; user unknown: 1 Time(s)
        Authentication Failures:
           unknown (www.e-hainyo.jp): 110 Time(s)
           root ( 31 Time(s)
           root (www.e-hainyo.jp): 15 Time(s)
           adm (www.e-hainyo.jp): 1 Time(s)
           apache (www.e-hainyo.jp): 1 Time(s)
           bin (www.e-hainyo.jp): 1 Time(s)
           daemon (www.e-hainyo.jp): 1 Time(s)
           ftp (www.e-hainyo.jp): 1 Time(s)
           games (www.e-hainyo.jp): 1 Time(s)
           halt (www.e-hainyo.jp): 1 Time(s)
           lp (www.e-hainyo.jp): 1 Time(s)
           mail (www.e-hainyo.jp): 1 Time(s)
           mysql (www.e-hainyo.jp): 1 Time(s)
           named (www.e-hainyo.jp): 1 Time(s)
           news (www.e-hainyo.jp): 1 Time(s)
           nobody (www.e-hainyo.jp): 1 Time(s)
           operator (www.e-hainyo.jp): 1 Time(s)
           postgres (www.e-hainyo.jp): 1 Time(s)
           rpm (www.e-hainyo.jp): 1 Time(s)
           shutdown (www.e-hainyo.jp): 1 Time(s)
           smmsp (www.e-hainyo.jp): 1 Time(s)
           sshd (www.e-hainyo.jp): 1 Time(s)
           sync (www.e-hainyo.jp): 1 Time(s)
           tomcat (www.e-hainyo.jp): 1 Time(s)
           uucp (www.e-hainyo.jp): 1 Time(s)
        Invalid Users:
           Unknown Account: 110 Time(s)
        Sessions Opened:
           (uid=0) -> root: 4 Time(s)
     ---------------------- pam_unix End ------------------------- 
     --------------------- Connections (secure-log) Begin ------------------------ 
     **Unmatched Entries**
        webmin: Successful login as root from : 1 Time(s)
        webmin: Timeout of session for root : 1 Time(s)
        webmin: Webmin starting : 2 Time(s)
     ---------------------- Connections (secure-log) End ------------------------- 
     --------------------- SSHD Begin ------------------------ 
     SSHD Killed: 2 Time(s)
     SSHD Started: 2 Time(s)
     Failed logins from: 37 times 31 times
     Illegal users from: 110 times
     Received disconnect:
        11: Bye Bye : 176 Time(s)
     ---------------------- SSHD End ------------------------- 
    Does this meant a hacking attempt? I performed a whois on the IPs above and found out this :

    inetnum: -
    netname:      INTERLINK
    descr:        INTERLINK Co.,LTD
    descr:        Sunshine60-35F 3-1-1 Higashi-ikebukuro
    descr:        Toshima-city Tokyo 170-6035 Japan
    country:      JP
    admin-c:      JNIC1-AP
    tech-c:       JNIC1-AP
    status:       ALLOCATED PORTABLE
    remarks:      Email address for spam or abuse complaints : 
    mnt-by:       MAINT-JPNIC
    mnt-lower:    MAINT-JPNIC
    changed:       20050804
    changed:       20070913
    source:       APNIC
    role:         Japan Network Information Center
    address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
    address:      Chiyoda-ku, Tokyo 101-0047, Japan
    country:      JP
    phone:        +81-3-5297-2311
    fax-no:       +81-3-5297-2312
    admin-c:      JI13-AP
    tech-c:       JE53-AP
    nic-hdl:      JNIC1-AP
    mnt-by:       MAINT-JPNIC
    changed:       20041222
    changed:       20050324
    changed:       20051027
    source:       APNIC
    inetnum: -
    netname:      IOSYSTEM
    descr:        IO SYSTEM Co., Ltd.
    country:      JP
    admin-c:      JP00006345
    tech-c:       JP00006354
    remarks:      This information has been partially mirrored by APNIC from
    remarks:      JPNIC. To obtain more specific information, please use the
    remarks:      JPNIC WHOIS Gateway at
    remarks:      http://www.nic.ad.jp/en/db/whois/en-gateway.html or
    remarks:      whois.nic.ad.jp for WHOIS client. (The WHOIS client
    remarks:      defaults to Japanese output, use the /e switch for English
    remarks:      output)
    changed:       20070510
    source:       JPNIC
    If this is really a hacking attempt, how can I protect myself. I have just enabled Selinux and need to reboot for the change to take effect.

  2. daveb

    daveb Member

    You should try fail2ban and or denyhosts.
  3. zcworld

    zcworld New Member

    welcome to the world of SSH hacking

    i had a log like 1 MB of ssh hits on my test box
    but i changed the ssh port over to 222 or something else and it almost droped to nothing :)
  4. Leszek

    Leszek Member

    Disabling remote root logins is a must to.
  5. Musty

    Musty New Member

    Thank you all guys for the info. I am just wondering why this stupid Japanese chimp is trying to access my box! There is nothing of interest anyways, just a personal blog and some futilities. But of course, he needed my password to do that, huh? Well I have changed that to such a difficult one that with Brute Force it would take him 200 years to find out.

    I will try those tools and see what they are able to do. Also zcworld, how would I go about changing the port of SSH. What is this SSH anyways? Can I uninstall it?

    Finally, I use remote root login within my LAN, is that also unsafe?

    Thank you all again for your info
  6. daveb

    daveb Member

    I would install fail2ban and denyhost, use strong passwords, maybe change the port also as zcworld suggested, disable remote root logins in your sshd_conf as Leszek suggested.
    Their will always be someone trying to get a sneak peek into your system so just make sure you have it secured.
  7. zcworld

    zcworld New Member

    sshd_config is at /etc/ssh/sshd_config

    also there is the rootlogin = yes
    change to no

    and you may need to add urself to the wheel group if you need to SU up at some later time

Share This Page