[PLUG] How did they do this?
Rich Shepard
rshepard at appl-ecosys.com
Sat May 11 22:38:33 UTC 2002
On Sat, 11 May 2002, Galen Seitz wrote:
> Rich is running floppyfw, which doesn't even have rlogin and friends. Unless
> he has intentionally forwarded the rlogin port to an internal machine,
> which is unlikely, I don't think we are seeing an attempt on this port.
As I posted before, ports 22 and 25 are ACCEPTED and 80 is DENYed until I
get httpd configured and secure.
Turns out that inetd *is* running, with ftp, telnet, shell and login
enabled. But, I thought those were not visible externally.
> My guess is someone attempted to come in via ssh, perhaps using password
> authentication. Rich, could you post your log entry again and sshd version.
May 11 08:25:20 salmo PAM_pwdb[15537]: check pass; user unknown
May 11 08:25:21 salmo login[15537]: FAILED LOGIN 1 FROM (null) FOR 202.166.28.209,
User not known to the underlying authentication module
and openssh-2.3.0p1-1 is what's running now
Searching /var/log/messages from the top for the string, "FAILED LOGIN",
reveals not only my typos as I log in, but other entries such as this one:
Mar 13 06:17:38 salmo login: FAILED LOGIN 1 FROM (null) FOR , User not
known to the underlying authentication module
That's the only reference; nothing before or following to explain the
context.
Here're more:
Apr 28 13:37:02 salmo login[14053]: FAILED LOGIN 1 FROM (null) FOR pine,
User not known to the underlying authentication module
Apr 28 19:36:34 salmo login[14672]: FAILED LOGIN 1 FROM (null) FOR pine,
User not known to the underlying authentication module
Then nothing until today's.
> Also, you might want to feed it into google to see if you can find an
> explanation.
Google finds 374 entries for "check pass; user unknown". Some of the
references showing from (null) are to telnetd.
Thanks,
Rich
More information about the PLUG
mailing list