From owner-freebsd-questions@FreeBSD.ORG Tue Oct 25 17:35:00 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D07C106564A for ; Tue, 25 Oct 2011 17:35:00 +0000 (UTC) (envelope-from admin@thorshammare.org) Received: from smtprelay-h22.telenor.se (smtprelay-h22.telenor.se [195.54.99.197]) by mx1.freebsd.org (Postfix) with ESMTP id C8FE08FC08 for ; Tue, 25 Oct 2011 17:34:59 +0000 (UTC) Received: from iph2.telenor.se (iph2.telenor.se [195.54.127.133]) by smtprelay-h22.telenor.se (Postfix) with ESMTP id 370AAEB2EA for ; Tue, 25 Oct 2011 19:34:57 +0200 (CEST) X-SENDER-IP: [83.227.225.121] X-LISTENER: [smtp.bredband.net] X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ato5AE7ypk5T4+F5PGdsb2JhbAA8AwMOmzSNVhkBAQEBNzKBbgEBAQECAQEBAQUgEg8CAQIIGAsFCAMCFgIwBxkOAQUECAMHAxEBAQQIBwQBChIEh18CBqZZAY4KgzyBdg+DFQSRb5NCOQ X-IronPort-AV: E=Sophos;i="4.69,404,1315173600"; d="scan'208";a="501369635" Received: from ua-83-227-225-121.cust.bredbandsbolaget.se (HELO odin.thorshammare.org) ([83.227.225.121]) by iph2.telenor.se with ESMTP; 25 Oct 2011 19:34:57 +0200 Received: from Obah (obah [192.168.1.10]) by odin.thorshammare.org (8.14.5/8.14.5) with ESMTP id p9PHYi0h003328; Tue, 25 Oct 2011 19:34:44 +0200 (CEST) (envelope-from admin@thorshammare.org) From: "Admin ValhallaProjectet" To: "'William Myers'" References: <000001cc90c0$a0c16050$e24420f0$@org> <20111024180745.N45635@crusader.bac.edu> In-Reply-To: <20111024180745.N45635@crusader.bac.edu> Date: Tue, 25 Oct 2011 19:34:35 +0200 Organization: The Valhalla Project Message-ID: <000801cc933c$60776520$21662f60$@org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcySnC1U45o90u79SXyjhg1b9oBglAAng9sA Content-Language: sv X-Virus-Scanned: clamav-milter 0.97.3 at odin.thorshammare.org X-Virus-Status: Clean X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on odin.thorshammare.org Cc: freebsd-questions@freebsd.org Subject: SV: Breakin attempt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2011 17:35:00 -0000 Probably a bunch of bots. Not very intelligent used. Really messed up my logfiles. I was a bit curious if the purpose was just that, to mask some more clever real attacks, but haven't seen any signs of such. I changed my ssh port, just to reduce the noise, and it all ceased. /Hasse -----Oprindelig meddelelse----- Fra: William Myers [mailto:myers@crusader.bac.edu] Sendt: den 25 oktober 2011 00:08 Til: Admin ValhallaProjectet Cc: freebsd-questions@freebsd.org Emne: Re: Breakin attempt I'm seeing the same thing from the same IP adresses. William Myers Associate Professor, Computer Studies 100 Belmont-Mount Holly Road Belmont Abbey College Belmont, NC 28012-1802 (704) 461-6823 FAX: (704) 461-5051 myers@crusader.bac.edu On Sat, 22 Oct 2011, Admin ValhallaProjectet wrote: > Hello all > > > > FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22 > 10:14:48 CEST 2011 hasse@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN > i386 > > Firewall PF. > > Blocking China and some other related countries in that region. > Disabled ssh root logins > > > > Apparently, I'm under some kind of attack, for the last 3 days. > > Lots of attempts to ssh in as root from many different IP addresses. > > No bruteforce attempts. > > This just puzzles me. Using all these resources ? To achieve what ? > > Below is a one hour snip from my auth.log > > Nothing unusual in pflog > > Appreciate all ideas of how to proceed with this mather. > > > > Best regards Hasse > > > > Oct 22 12:00:19 odin sshd[14359]: error: PAM: authentication error for root > from server.fabian.cz > > Oct 22 12:01:08 odin sshd[14365]: Address 87.105.187.194 maps to > client-arsmedica-2.wroclaw.dialog.net.pl, but this does not map back to the > address - POSSIBLE BREAK-IN ATTEMPT! > > Oct 22 12:01:09 odin sshd[14365]: error: PAM: authentication error for root > from 87.105.187.194 > > Oct 22 12:02:59 odin sshd[14422]: error: PAM: authentication error for root > from 87.229.7.163 > > Oct 22 12:03:36 odin sshd[14865]: error: PAM: authentication error for root > from 201.25.53.34 > > Oct 22 12:03:53 odin sshd[15571]: error: PAM: authentication error for root > from 109.237.210.147 > > Oct 22 12:05:18 odin sshd[18357]: error: PAM: authentication error for root > from 12.222.202.34 > > Oct 22 12:05:36 odin sshd[18375]: error: PAM: authentication error for root > from mx.aysor.am > > Oct 22 12:05:53 odin sshd[18537]: error: PAM: authentication error for root > from 190.129.11.76 > > Oct 22 12:07:06 odin sshd[19429]: Address 80.188.13.214 maps to > www.profitaxi.cz, but this does not map back to the address - POSSIBLE > BREAK-IN ATTEMPT! > > Oct 22 12:07:06 odin sshd[19429]: error: PAM: authentication error for root > from 80.188.13.214 > > Oct 22 12:07:27 odin sshd[19542]: error: PAM: authentication error for root > from 85.185.180.48 > > Oct 22 12:08:05 odin sshd[19591]: error: PAM: authentication error for root > from 208.125.137.121 > > Oct 22 12:09:45 odin sshd[19629]: error: PAM: authentication error for root > from 83.14.240.10 > > Oct 22 12:10:53 odin sshd[19699]: error: PAM: authentication error for root > from 200.160.121.246 > > Oct 22 12:10:59 odin sshd[19702]: error: PAM: authentication error for root > from 151.1.183.216 > > Oct 22 12:11:38 odin sshd[19787]: error: PAM: authentication error for root > from crm.nepinc.com > > Oct 22 12:12:16 odin sshd[19830]: error: PAM: authentication error for root > from 189.16.12.146 > > Oct 22 12:12:45 odin sshd[19843]: error: PAM: authentication error for root > from narro.uaaan.mx > > Oct 22 12:14:14 odin sshd[19913]: error: PAM: authentication error for root > from 217.128.151.181 > > Oct 22 12:14:56 odin sshd[19925]: reverse mapping checking getaddrinfo for > panda.zsuvoz.cz [195.178.81.116] failed - POSSIBLE BREAK-IN ATTEMPT! > > Oct 22 12:14:56 odin sshd[19925]: error: PAM: authentication error for root > from 195.178.81.116 > > Oct 22 12:16:14 odin sshd[19995]: error: PAM: authentication error for root > from 87.193.246.26 > > Oct 22 12:16:23 odin sshd[20008]: error: PAM: authentication error for root > from 219.94.144.230 > > Oct 22 12:16:39 odin sshd[20026]: error: PAM: authentication error for root > from 82.130.143.216 > > Oct 22 12:17:41 odin sshd[20073]: error: PAM: authentication error for root > from 87.193.246.26 > > Oct 22 12:17:52 odin sshd[20102]: error: PAM: authentication error for root > from 82.130.143.216 > > Oct 22 12:21:16 odin sshd[20268]: error: PAM: authentication error for root > from 203.141.158.120 > > Oct 22 12:21:34 odin sshd[20286]: error: PAM: authentication error for root > from 208.125.137.121 > > Oct 22 12:22:05 odin sshd[20326]: reverse mapping checking getaddrinfo for > 86-100-134-185-ip.balticum.lt [86.100.134.185] failed - POSSIBLE BREAK-IN > ATTEMPT! > > Oct 22 12:22:05 odin sshd[20326]: error: PAM: authentication error for root > from 86.100.134.185 > > Oct 22 12:22:22 odin sshd[20339]: error: PAM: authentication error for root > from 201.232.69.113 > > Oct 22 12:23:35 odin sshd[20428]: error: PAM: authentication error for root > from 87.229.7.163 > > Oct 22 12:23:58 odin sshd[20486]: error: PAM: authentication error for root > from 65.161.248.26 > > Oct 22 12:24:39 odin sshd[20605]: error: PAM: authentication error for root > from 210.238.91.147 > > Oct 22 12:25:08 odin sshd[21400]: error: PAM: authentication error for root > from 12.222.202.34 > > Oct 22 12:26:08 odin sshd[23744]: error: PAM: authentication error for root > from zodiaq3d.info > > Oct 22 12:26:56 odin sshd[23747]: error: PAM: authentication error for root > from mx.cbc-group.kz > > Oct 22 12:30:26 odin sshd[23752]: error: PAM: authentication error for root > from 190.152.145.53 > > Oct 22 12:30:54 odin sshd[23757]: error: PAM: authentication error for root > from 80.24.95.85 > > Oct 22 12:30:59 odin sshd[23759]: error: PAM: authentication error for root > from 200.183.172.2 > > Oct 22 12:31:13 odin sshd[23755]: error: PAM: authentication error for root > from starless.com.pl > > Oct 22 12:31:38 odin sshd[23764]: error: PAM: authentication error for root > from 61.19.252.236 > > Oct 22 12:32:21 odin sshd[23767]: error: PAM: authentication error for root > from 109.237.210.147 > > Oct 22 12:32:29 odin sshd[23770]: error: PAM: authentication error for root > from 65.82.69.5 > > Oct 22 12:33:36 odin sshd[23785]: Address 161.200.90.2 maps to > dsprl.eng.chula.ac.th, but this does not map back to the address - POSSIBLE > BREAK-IN ATTEMPT! > > Oct 22 12:33:37 odin sshd[23785]: error: PAM: authentication error for root > from 161.200.90.2 > > Oct 22 12:34:48 odin sshd[23788]: error: PAM: authentication error for root > from 83.139.194.70 > > Oct 22 12:35:46 odin sshd[23793]: error: PAM: authentication error for root > from 61.19.45.119 > > Oct 22 12:36:20 odin sshd[23796]: reverse mapping checking getaddrinfo for > nat-div.azores.gov.pt [83.240.154.46] failed - POSSIBLE BREAK-IN ATTEMPT! > > Oct 22 12:36:21 odin sshd[23796]: error: PAM: authentication error for root > from 83.240.154.46 > > Oct 22 12:36:56 odin sshd[23799]: error: PAM: authentication error for root > from 109.237.210.147 > > Oct 22 12:37:06 odin sshd[23802]: error: PAM: authentication error for root > from supermodels.com > > Oct 22 12:38:45 odin sshd[23805]: error: PAM: authentication error for root > from 193.77.58.207 > > Oct 22 12:39:04 odin sshd[23808]: error: PAM: authentication error for root > from 80.26.69.233 > > Oct 22 12:40:53 odin sshd[23813]: error: PAM: authentication error for root > from www.iitkgp.ac.in > > Oct 22 12:43:47 odin sshd[24680]: error: PAM: authentication error for root > from 213.195.75.188 > > Oct 22 12:44:20 odin sshd[24697]: error: PAM: authentication error for root > from 99.13.226.154 > > Oct 22 12:45:05 odin sshd[24730]: error: PAM: authentication error for root > from bk19.com > > Oct 22 12:45:52 odin sshd[24738]: error: PAM: authentication error for root > from 91.191.170.146 > > Oct 22 12:46:01 odin sshd[24735]: error: PAM: authentication error for root > from 81.56.57.50 > > Oct 22 12:46:15 odin sshd[24743]: error: PAM: authentication error for root > from 217.128.151.181 > > Oct 22 12:46:27 odin sshd[24746]: reverse mapping checking getaddrinfo for > z-atman-ett.net.pl [193.111.37.122] failed - POSSIBLE BREAK-IN ATTEMPT! > > Oct 22 12:46:28 odin sshd[24746]: error: PAM: authentication error for root > from 193.111.37.122 > > Oct 22 12:47:33 odin sshd[24749]: error: PAM: authentication error for root > from 202.28.37.63 > > Oct 22 12:48:34 odin sshd[24752]: error: PAM: authentication error for root > from 189.19.13.239 > > Oct 22 12:49:38 odin sshd[24755]: error: PAM: authentication error for root > from 82.228.250.163 > > Oct 22 12:49:46 odin sshd[24758]: reverse mapping checking getaddrinfo for > customer-201-134-39-146.uninet-ide.com.mx [201.134.39.146] failed - POSSIBLE > BREAK-IN ATTEMPT! > > Oct 22 12:49:46 odin sshd[24758]: error: PAM: authentication error for root > from 201.134.39.146 > > Oct 22 12:49:57 odin sshd[24761]: reverse mapping checking getaddrinfo for > 138-65-162-69.reverse.lstn.net [69.162.65.138] failed - POSSIBLE BREAK-IN > ATTEMPT! > > Oct 22 12:49:57 odin sshd[24761]: error: PAM: authentication error for root > from 69.162.65.138 > > Oct 22 12:50:15 odin sshd[24770]: error: PAM: authentication error for root > from 217.128.151.181 > > Oct 22 12:53:04 odin sshd[24774]: reverse mapping checking getaddrinfo for > 86-100-134-185-ip.balticum.lt [86.100.134.185] failed - POSSIBLE BREAK-IN > ATTEMPT! > > Oct 22 12:53:04 odin sshd[24774]: error: PAM: authentication error for root > from 86.100.134.185 > > Oct 22 12:53:28 odin sshd[24781]: error: PAM: authentication error for root > from 12.222.202.34 > > Oct 22 12:53:31 odin sshd[24784]: error: PAM: authentication error for root > from 109.237.210.147 > > Oct 22 12:55:19 odin sshd[24801]: error: PAM: authentication error for root > from 87.193.246.26 > > Oct 22 12:55:51 odin sshd[24804]: error: PAM: authentication error for root > from 219.94.144.230 > > Oct 22 12:56:24 odin sshd[24807]: error: PAM: authentication error for root > from 213.192.8.22 > > Oct 22 12:56:28 odin sshd[24810]: error: PAM: authentication error for root > from server.fabian.cz > > Oct 22 12:57:07 odin sshd[24813]: error: PAM: authentication error for root > from 62.213.201.100 > > Oct 22 12:57:26 odin sshd[24816]: error: PAM: authentication error for root > from 83.18.24.58 > > Oct 22 12:58:03 odin sshd[24822]: error: PAM: authentication error for root > from 99.13.226.154 > > Oct 22 12:58:38 odin sshd[24825]: error: PAM: authentication error for root > from crm.nepinc.com > > Oct 22 13:00:06 odin sshd[24846]: error: PAM: authentication error for root > from 85.22.60.6 > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >