Hi all, Thought you might want to know about this post I saw on usenet comp.os.linux.security with the subject "hacked?" posted Sun Dec 19
>Caspar Wrede wrote: > Then I notice that there is a user logged on who usually is NEVER > logged on. The user is daniel and his password, stupidly, is daniel. Suddenly, > he's logged in twice from two different IP addresses: >Here's a snippet from my logs. Note the 4th entry: >Dec 10 07:21:29 frodo sshd[4940]: Illegal user jordan from >Dec 10 07:21:31 frodo sshd[4943]: Illegal user michael from >Dec 10 07:21:33 frodo sshd[4953]: Illegal user nicole from >Dec 10 07:21:35 frodo sshd[4955]: Illegal user daniel from >Dec 10 07:21:37 frodo sshd[4957]: Illegal user andrew from >Dec 10 07:21:39 frodo sshd[4968]: Illegal user nathan from >Dec 10 07:21:42 frodo sshd[4970]: Illegal user matthew from >Dec 10 07:21:44 frodo sshd[4972]: Illegal user magic from >Dec 10 07:21:46 frodo sshd[4983]: Illegal user lion from >Dec 10 07:21:47 frodo sshd[4985]: Illegal user david from >Dec 10 07:21:49 frodo sshd[4987]: Illegal user jason from >Dec 10 07:21:51 frodo sshd[4997]: Illegal user ben from >Dec 10 07:21:53 frodo sshd[5000]: Illegal user carmen from >Dec 10 07:21:55 frodo sshd[5002]: Illegal user justin from >Dec 10 07:21:57 frodo sshd[5004]: Illegal user charlie from >Dec 10 07:21:59 frodo sshd[5014]: Illegal user steven from >Dec 10 07:22:00 frodo sshd[5017]: Illegal user brandon from >Dec 10 07:22:02 frodo sshd[5019]: Illegal user brian from >Dec 10 07:22:04 frodo sshd[5029]: Illegal user stephen from >Dec 10 07:22:06 frodo sshd[5031]: Illegal user william from >Dec 10 07:22:08 frodo sshd[5034]: Illegal user angel from >Dec 10 07:22:10 frodo sshd[5044]: Illegal user emily from >Dec 10 07:22:12 frodo sshd[5046]: Illegal user eric from >Dec 10 07:22:13 frodo sshd[5048]: Illegal user joe from It happened while the victum was working on pc and noticed the cpu increase in gkrellm. So check your logs for something like this. And if you use passwords instead of ssh keys, then make sure your passwords are not simple to guess. Seems some user/password scans are checking for easy sshd logins HTH, after all the security talk here lately ... -- RickS Registered Linux user #338463 Mdk 10.1 OE - Linux 2.6.8.1-12mdk @ http://counter.li.org ================================================================ gpg --recv-keys --keyserver www.keyserver.net 0x24AABE61
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
