[uug] I was attacked. hacked?

Fri, 03 Sep 2004 09:40:12 -0700 

any clues to be found from this attempt on my ftp server last night?

last night I get a bunch(100+) of root sshd login attempts

(from /var/log/messages:)

they come in bursts of 4-8 attempts (server name is billybob )
Sep  2 18:25:45 billybob sshd(pam_unix)[24928]: session opened for user
root by (uid=0)
Sep  2 18:25:45 billybob sshd(pam_unix)[24928]: session closed for user root
Sep  2 18:30:44 billybob sshd(pam_unix)[24940]: session opened for user
root by (uid=0)
Sep  2 18:30:44 billybob sshd(pam_unix)[24940]: session closed for user root
Sep  2 18:35:44 billybob sshd(pam_unix)[24950]: session opened for user
root by (uid=0)
Sep  2 18:35:44 billybob sshd(pam_unix)[24950]: session closed for user root
Sep  2 18:40:45 billybob sshd(pam_unix)[24967]: session opened for user
root by (uid=0)
Sep  2 18:40:45 billybob sshd(pam_unix)[24967]: session closed for user root
Sep  2 18:45:44 billybob sshd(pam_unix)[24975]: session opened for user
root by (uid=0)
Sep  2 18:45:44 billybob sshd(pam_unix)[24975]: session closed for user root
Sep  2 18:50:44 billybob sshd(pam_unix)[24986]: session opened for user
root by (uid=0)
Sep  2 18:50:44 billybob sshd(pam_unix)[24986]: session closed for user root
Sep  2 18:55:45 billybob sshd(pam_unix)[25001]: session opened for user
root by (uid=0)
Sep  2 18:55:45 billybob sshd(pam_unix)[25001]: session closed for user root
Sep  2 19:00:44 billybob sshd(pam_unix)[25012]: session opened for user
root by (uid=0)
Sep  2 19:00:44 billybob sshd(pam_unix)[25012]: session closed for user root
Sep  2 19:05:45 billybob sshd(pam_unix)[25034]: session opened for user
root by (uid=0)
Sep  2 19:05:45 billybob sshd(pam_unix)[25034]: session closed for user root
Sep  2 19:10:44 billybob sshd(pam_unix)[25048]: session opened for user
root by (uid=0)
Sep  2 19:10:44 billybob sshd(pam_unix)[25048]: session closed for user root
Sep  2 19:15:44 billybob sshd(pam_unix)[25057]: session opened for user
root by (uid=0)
Sep  2 19:15:44 billybob sshd(pam_unix)[25057]: session closed for user root


then in dmesg I see:

TCP: Treason uncloaked! Peer 195.166.238.226:4028/80 shrinks window
1329363357:1329363358. Repaired.
TCP: Treason uncloaked! Peer 195.166.237.40:40097/80 shrinks window
1236637093:1236637094. Repaired.
TCP: Treason uncloaked! Peer 195.166.237.40:40097/80 shrinks window
1236637093:1236637094. Repaired.
ICMP: 212.205.224.169: Source Route Failed.
ICMP: 212.205.224.169: Source Route Failed.
ICMP: 212.205.224.169: Source Route Failed.
TCP: Treason uncloaked! Peer 195.166.237.40:17519/80 shrinks window
3466847992:3466847993. Repaired.
TCP: Treason uncloaked! Peer 195.166.237.40:17519/80 shrinks window
3466847992:3466847993. Repaired.
TCP: Treason uncloaked! Peer 195.166.237.40:3432/80 shrinks window
1877892648:1877892649. Repaired.
TCP: Treason uncloaked! Peer 163.150.137.68:7884/80 shrinks window
327676146:327678906. Repaired.
TCP: Treason uncloaked! Peer 66.178.47.30:1349/80 shrinks window
3629528221:3629528222. Repaired.
TCP: Treason uncloaked! Peer 66.178.47.30:3400/80 shrinks window
2557296823:2557296824. Repaired.
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.
TCP: Treason uncloaked! Peer 66.185.0.224:3457/443 shrinks window
2147295540:2147297000. Repaired.


ideas?

mrb



____________________
BYU Unix Users Group 
http://uug.byu.edu/ 
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list

Reply via email to