看板FB_security
标 题Re: sequences in the auth.log
发信站NCTU CSIE FreeBSD Server (Wed Aug 18 11:55:56 2004)
转信站ptt!FreeBSD.csie.NCTU!not-for-mail
I'm seeing the same thing in my log. It makes me think it is a virus because
test, guest, and admin are not normal unix users.
Jul 17 04:14:13 newman sshd[2630]: Illegal user test from 129.194.21.5
Jul 17 04:14:14 newman sshd[2632]: Illegal user guest from 129.194.21.5
Jul 24 19:29:26 newman sshd[43831]: Illegal user test from 69.0.134.72
Jul 24 19:29:26 newman sshd[43838]: Illegal user guest from 69.0.134.72
Jul 24 19:29:27 newman sshd[43840]: Illegal user admin from 69.0.134.72
Jul 24 19:29:27 newman sshd[43842]: Illegal user admin from 69.0.134.72
Jul 24 19:29:27 newman sshd[43844]: Illegal user user from 69.0.134.72
Jul 24 19:29:33 newman sshd[43853]: Illegal user test from 69.0.134.72
Jul 24 21:17:05 newman sshd[45031]: Illegal user test from 202.6.75.195
Jul 24 21:17:07 newman sshd[45033]: Illegal user guest from 202.6.75.195
Jul 25 02:04:17 newman sshd[34873]: Illegal user test from 211.202.3.148
Jul 25 02:04:19 newman sshd[34875]: Illegal user guest from 211.202.3.148
Jul 28 12:09:17 newman sshd[16613]: Illegal user test from 65.61.98.16
Jul 28 12:09:18 newman sshd[16615]: Illegal user guest from 65.61.98.16
Jul 31 08:18:09 newman sshd[98113]: Illegal user test from 65.194.200.129
Jul 31 08:18:10 newman sshd[98116]: Illegal user guest from 65.194.200.129
Aug 1 22:47:50 newman sshd[1520]: Illegal user test from 202.114.73.4
Aug 1 22:47:53 newman sshd[1522]: Illegal user guest from 202.114.73.4
Aug 4 21:09:11 newman sshd[39267]: Illegal user test from 218.38.216.168
Aug 4 21:09:13 newman sshd[39269]: Illegal user guest from 218.38.216.168
Aug 7 13:53:00 newman sshd[15889]: Illegal user test from 64.246.20.43
Aug 7 13:53:00 newman sshd[15891]: Illegal user guest from 64.246.20.43
Aug 7 13:53:01 newman sshd[15893]: Illegal user admin from 64.246.20.43
Aug 7 14:00:37 newman sshd[15970]: Illegal user test from 64.246.20.43
Aug 7 14:00:38 newman sshd[15972]: Illegal user guest from 64.246.20.43
Aug 7 14:00:39 newman sshd[15974]: Illegal user admin from 64.246.20.43
Aug 7 14:00:40 newman sshd[15976]: Illegal user admin from 64.246.20.43
Aug 7 14:00:41 newman sshd[15978]: Illegal user user from 64.246.20.43
Aug 7 14:00:44 newman sshd[15986]: Illegal user test from 64.246.20.43
Aug 8 06:48:05 newman sshd[51656]: Illegal user test from 64.151.89.172
Aug 8 06:48:06 newman sshd[51658]: Illegal user guest from 64.151.89.172
Aug 8 06:48:07 newman sshd[51660]: Illegal user admin from 64.151.89.172
Aug 8 06:48:08 newman sshd[51662]: Illegal user admin from 64.151.89.172
Aug 8 06:48:08 newman sshd[51664]: Illegal user user from 64.151.89.172
Aug 8 06:48:12 newman sshd[51672]: Illegal user test from 64.151.89.172
Aug 9 09:33:57 newman sshd[9346]: Illegal user test from 211.241.101.137
Aug 9 09:33:59 newman sshd[9348]: Illegal user guest from 211.241.101.137
Aug 9 09:34:01 newman sshd[9350]: Illegal user admin from 211.241.101.137
Aug 9 09:34:03 newman sshd[9352]: Illegal user admin from 211.241.101.137
Aug 9 09:34:04 newman sshd[9354]: Illegal user user from 211.241.101.137
Aug 9 09:34:13 newman sshd[9362]: Illegal user test from 211.241.101.137
Aug 9 15:54:37 newman sshd[11782]: Illegal user test from 80.64.104.66
Aug 9 15:54:39 newman sshd[11784]: Illegal user guest from 80.64.104.66
Aug 9 15:54:41 newman sshd[11786]: Illegal user admin from 80.64.104.66
Aug 9 15:54:43 newman sshd[11788]: Illegal user admin from 80.64.104.66
Aug 9 15:54:44 newman sshd[11790]: Illegal user user from 80.64.104.66
Aug 9 15:54:51 newman sshd[11798]: Illegal user test from 80.64.104.66
Aug 10 12:24:14 newman sshd[1392]: Illegal user test from 200.155.22.22
Aug 10 12:32:33 newman sshd[11361]: Illegal user test from 200.155.22.22
Aug 10 12:32:35 newman sshd[11364]: Illegal user guest from 200.155.22.22
Aug 10 12:32:37 newman sshd[11370]: Illegal user admin from 200.155.22.22
Aug 10 12:32:40 newman sshd[11372]: Illegal user admin from 200.155.22.22
Aug 10 12:32:42 newman sshd[11375]: Illegal user user from 200.155.22.22
Aug 10 12:32:51 newman sshd[11399]: Illegal user test from 200.155.22.22
Aug 10 20:22:59 newman sshd[1808]: Illegal user test from 63.251.144.88
Aug 16 04:41:53 newman sshd[31175]: Illegal user test from 210.223.178.180
Aug 16 04:41:54 newman sshd[31177]: Illegal user guest from 210.223.178.180
Aug 16 04:41:56 newman sshd[31179]: Illegal user admin from 210.223.178.180
Aug 16 04:41:58 newman sshd[31181]: Illegal user admin from 210.223.178.180
Aug 16 04:42:00 newman sshd[31183]: Illegal user user from 210.223.178.180
Aug 16 04:42:08 newman sshd[31191]: Illegal user test from 210.223.178.180
Aug 17 01:28:42 newman sshd[1507]: Illegal user test from 64.62.182.146
Aug 17 01:28:42 newman sshd[1509]: Illegal user guest from 64.62.182.146
Aug 17 01:28:43 newman sshd[1511]: Illegal user admin from 64.62.182.146
Aug 17 01:28:44 newman sshd[1513]: Illegal user admin from 64.62.182.146
Aug 17 01:28:45 newman sshd[1515]: Illegal user user from 64.62.182.146
Aug 17 01:28:48 newman sshd[1523]: Illegal user test from 64.62.182.146
On Friday 13 August 2004 09:05 am, Sandor Berta wrote:
> Hi all,
> I found similar sequences in the
> /var/auth.log files of freebsd boxes, I supervise.:
> Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20
> Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20
> Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20
> Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20
> Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20
> Aug 13 13:56:25 www sshd[26107]: Failed password for root from
> 165.21.103.20 port 39678 ssh2
> Aug 13 13:56:28 www sshd[26109]: Failed password for root from
> 165.21.103.20 port 39760 ssh2
> Aug 13 13:56:32 www sshd[26111]: Failed password for root from
> 165.21.103.20 port 39836 ssh2
> Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20
> Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57
> Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57
>
> What are these?
>
> bye
> Sandor Berta
>
> _______________________________________________
> [email protected] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "
[email protected]"