[CLUE-Tech] possible breakin attempt
Chris Schock
black at clapthreetimes.com
Thu Oct 28 13:00:21 MDT 2004
Google should have a wealth of info on this. It means that the reverse DNS
was not the same as the forward DNS. Can you verify that the IP address is
legitimate?
Since it's from Asia, I'd guess not.
There is and has been a wealth of SSH attempts that have been happening
over the last month or two. They connect and try to login into a dozen or
two accounts. I wouldn't be overly concerned, I get these daily. Just make
sure that the users they're trying to get into either don't exist or have
cery good passwords. Also, disable remote root logins. I think by default
SSH allows that.
> Can anyone shed light on these messages in /var/log/auth.log:
>
> (all on one line but will line wrap here)
>
> Aug 30 12:46:50 mg2 sshd[10555]: reverse mapping checking getaddrinfo
> for ip-202-147-54-103.asianetcom.net failed - POSSIBLE BREAKIN ATTEMPT!
>
> There were 9 such messages on Aug 30th and 107 on Oct 9th.
>
> What are they trying to exploit?
>
> ckrootkit and rkhunter found nothing. What else I should check?
>
> Thanks,
>
> Mike
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
More information about the clue-tech
mailing list