J'ai redemarrer un de ces serveurs et il se bloque au
nivo du système
de fichier /proc.
En consultant les log de la 2ième machine que je men
rends compte que
quelqu'un essai de se connecter en ssh depuis
l'adresse IP 212.78.79.20.
Je joins me fichier secure.log
Dec 22 02:07:22 pop sshd[2272]: Did not receive
identification string
from 212.93.154.239
Dec 22 02:14:32 pop sshd[2277]: Illegal user test from
212.93.154.239
Dec 22 02:14:36 pop sshd[2279]: Illegal user guest
from 212.93.154.239
Dec 22 02:14:39 pop sshd[2281]: Illegal user admin
from 212.93.154.239
Dec 22 02:14:43 pop sshd[2283]: Illegal user admin
from 212.93.154.239
Dec 22 02:14:45 pop sshd[2285]: Illegal user user from
212.93.154.239
Dec 22 02:14:54 pop sshd[2287]: Failed password for
root from
212.93.154.239 port 2152 ssh2
Dec 22 02:15:01 pop sshd[2289]: Failed password for
root from
212.93.154.239 port 2277 ssh2
Dec 22 02:15:06 pop sshd[2295]: Failed password for
root from
212.93.154.239 port 2389 ssh2
Dec 22 02:15:08 pop sshd[2297]: Illegal user test from
212.93.154.239
Dec 22 04:00:09 pop sshd[2391]: Did not receive
identification string
from 212.78.79.20
Dec 22 04:07:16 pop sshd[2743]: Failed password for
nobody from
212.78.79.20 port 51318 ssh2
Dec 22 04:07:18 pop sshd[2745]: Illegal user patrick
from 212.78.79.20
Dec 22 04:07:20 pop sshd[2747]: Illegal user patrick
from 212.78.79.20
Dec 22 04:07:24 pop sshd[2749]: Failed password for
root from
212.78.79.20 port 53405 ssh2
Dec 22 04:07:29 pop sshd[2751]: Failed password for
root from
212.78.79.20 port 54127 ssh2
Dec 22 04:07:33 pop sshd[2753]: Failed password for
root from
212.78.79.20 port 54833 ssh2
Dec 22 04:07:35 pop sshd[2755]: Accepted password for
root from
212.78.79.20 port 55505 ssh2
Dec 22 04:07:45 pop sshd[2797]: Failed password for
root from
212.78.79.20 port 56774 ssh2
Dec 22 04:07:47 pop sshd[2799]: Illegal user rolo from
212.78.79.20
Dec 22 04:07:49 pop sshd[2801]: Illegal user iceuser
from 212.78.79.20
Dec 22 04:07:51 pop sshd[2803]: Illegal user horde
from 212.78.79.20
Dec 22 04:07:53 pop sshd[2805]: Illegal user cyrus
from 212.78.79.20
Dec 22 04:07:55 pop sshd[2807]: Illegal user www from
212.78.79.20
Dec 22 04:07:57 pop sshd[2809]: Illegal user wwwrun
from 212.78.79.20
Dec 22 04:07:59 pop sshd[2811]: Illegal user matt from
212.78.79.20
Dec 22 04:08:01 pop sshd[2813]: Illegal user test from
212.78.79.20
Dec 22 04:08:03 pop sshd[2815]: Illegal user test from
212.78.79.20
Dec 22 04:08:05 pop sshd[2817]: Illegal user test from
212.78.79.20
Dec 22 04:08:07 pop sshd[2819]: Illegal user test from
212.78.79.20
Dec 22 04:08:08 pop sshd[2821]: Illegal user www-data
from 212.78.79.20
Dec 22 04:08:13 pop sshd[2823]: Failed password for
mysql from
212.78.79.20 port 60777 ssh2
Dec 22 04:08:17 pop sshd[2825]: Failed password for
operator from
212.78.79.20 port 33131 ssh2
Dec 22 04:08:21 pop sshd[2827]: Failed password for
adm from
212.78.79.20 port 33708 ssh2
Dec 22 04:08:25 pop sshd[2829]: Failed password for
apache from
212.78.79.20 port 34274 ssh2
Dec 22 04:08:27 pop sshd[2831]: Illegal user irc from
212.78.79.20
Dec 22 04:08:29 pop sshd[2833]: Illegal user irc from
212.78.79.20
Dec 22 04:08:34 pop sshd[2835]: Failed password for
adm from
212.78.79.20 port 35388 ssh2
Dec 22 04:08:38 pop sshd[2837]: Failed password for
root from
212.78.79.20 port 35951 ssh2
Dec 22 04:08:42 pop sshd[2839]: Failed password for
root from
212.78.79.20 port 36501 ssh2
Dec 22 04:08:46 pop sshd[2841]: Failed password for
root from
212.78.79.20 port 37057 ssh2
Dec 22 04:08:48 pop sshd[2843]: Illegal user jane from
212.78.79.20
Dec 22 04:08:50 pop sshd[2845]: Illegal user pamela
from 212.78.79.20
Dec 22 04:08:54 pop sshd[2847]: Failed password for
root from
212.78.79.20 port 38140 ssh2
Dec 22 04:08:59 pop sshd[2849]: Failed password for
root from
212.78.79.20 port 38733 ssh2
Dec 22 04:09:03 pop sshd[2851]: Failed password for
root from
212.78.79.20 port 39307 ssh2
Dec 22 04:09:07 pop sshd[2853]: Failed password for
root from
212.78.79.20 port 39886 ssh2
Dec 22 04:09:11 pop sshd[2855]: Failed password for
root from
212.78.79.20 port 40483 ssh2
Dec 22 04:09:13 pop sshd[2857]: Illegal user cosmin
from 212.78.79.20
Dec 22 04:09:18 pop sshd[2859]: Failed password for
root from
212.78.79.20 port 41347 ssh2
Dec 22 04:09:22 pop sshd[2861]: Failed password for
root from
212.78.79.20 port 41924 ssh2
Dec 22 04:09:26 pop sshd[2863]: Failed password for
root from
212.78.79.20 port 42460 ssh2
Dec 22 04:09:30 pop sshd[2865]: Failed password for
root from
212.78.79.20 port 43039 ssh2
Dec 22 04:09:40 pop sshd[2867]: Failed password for
root from
212.78.79.20 port 43593 ssh2
Dec 22 04:09:44 pop sshd[2869]: Failed password for
root from
212.78.79.20 port 44802 ssh2
Dec 22 04:09:48 pop sshd[2871]: Failed password for
root from
212.78.79.20 port 45385 ssh2
Dec 22 04:09:53 pop sshd[2873]: Failed password for
root from
212.78.79.20 port 45929 ssh2
Dec 22 04:09:57 pop sshd[2875]: Failed password for
root from
212.78.79.20 port 46493 ssh2
Dec 22 04:10:01 pop sshd[2877]: Failed password for
root from
212.78.79.20 port 47028 ssh2
Dec 22 04:10:05 pop sshd[2883]: Failed password for
root from
212.78.79.20 port 47559 ssh2
Dec 22 04:10:10 pop sshd[2885]: Failed password for
root from
212.78.79.20 port 48090 ssh2
Dec 22 04:10:14 pop sshd[2887]: Failed password for
root from
212.78.79.20 port 48619 ssh2
Dec 22 04:10:18 pop sshd[2889]: Failed password for
root from
212.78.79.20 port 49159 ssh2
Dec 22 04:10:22 pop sshd[2891]: Failed password for
root from
212.78.79.20 port 49711 ssh2
Dec 22 04:10:27 pop sshd[2893]: Failed password for
root from
212.78.79.20 port 50252 ssh2
Dec 22 04:10:31 pop sshd[2895]: Failed password for
root from
212.78.79.20 port 50820 ssh2
Dec 22 04:10:35 pop sshd[2897]: Failed password for
root from
212.78.79.20 port 51413 ssh2
Dec 22 04:10:39 pop sshd[2899]: Failed password for
root from
212.78.79.20 port 52011 ssh2
Dec 22 04:10:44 pop sshd[2901]: Failed password for
root from
212.78.79.20 port 52602 ssh2
Dec 22 04:10:48 pop sshd[2903]: Failed password for
root from
212.78.79.20 port 53198 ssh2
Dec 22 04:10:52 pop sshd[2905]: Failed password for
root from
212.78.79.20 port 53806 ssh2
Dec 22 04:10:56 pop sshd[2907]: Failed password for
root from
212.78.79.20 port 54389 ssh2
Dec 22 04:11:01 pop sshd[2909]: Failed password for
root from
212.78.79.20 port 55004 ssh2
Dec 22 04:11:05 pop sshd[2911]: Failed password for
root from
212.78.79.20 port 55611 ssh2
Dec 22 04:11:09 pop sshd[2913]: Failed password for
root from
212.78.79.20 port 56210 ssh2
Dec 22 04:11:13 pop sshd[2915]: Failed password for
root from
212.78.79.20 port 56772 ssh2
Dec 22 04:11:18 pop sshd[2917]: Failed password for
root from
212.78.79.20 port 57314 ssh2
Dec 22 04:11:22 pop sshd[2919]: Failed password for
root from
212.78.79.20 port 57859 ssh2
Dec 22 04:11:26 pop sshd[2921]: Failed password for
root from
212.78.79.20 port 58402 ssh2
Dec 22 04:11:31 pop sshd[2923]: Failed password for
root from
212.78.79.20 port 58927 ssh2
Dec 22 04:11:35 pop sshd[2925]: Failed password for
root from
212.78.79.20 port 59483 ssh2
Dec 22 04:11:39 pop sshd[2927]: Failed password for
root from
212.78.79.20 port 60023 ssh2
Dec 22 04:11:43 pop sshd[2929]: Failed password for
root from
212.78.79.20 port 60533 ssh2
Dec 22 04:11:48 pop sshd[2931]: Failed password for
root from
212.78.79.20 port 32803 ssh2
Dec 22 04:11:52 pop sshd[2933]: Failed password for
root from
212.78.79.20 port 33338 ssh2
Dec 22 04:11:54 pop sshd[2935]: Illegal user cip52
from 212.78.79.20
Dec 22 04:11:56 pop sshd[2937]: Illegal user cip51
from 212.78.79.20
Dec 22 04:12:00 pop sshd[2939]: Failed password for
root from
212.78.79.20 port 34329 ssh2
Dec 22 04:12:02 pop sshd[2941]: Illegal user noc from
212.78.79.20
Dec 22 04:12:06 pop sshd[2943]: Failed password for
root from
212.78.79.20 port 35122 ssh2
Dec 22 04:12:10 pop sshd[2945]: Failed password for
root from
212.78.79.20 port 35676 ssh2
Dec 22 04:12:15 pop sshd[2947]: Failed password for
root from
212.78.79.20 port 36228 ssh2
Dec 22 04:12:19 pop sshd[2949]: Failed password for
root from
212.78.79.20 port 36803 ssh2
Dec 22 04:12:21 pop sshd[2951]: Illegal user webmaster
from
212.78.79.20
Dec 22 04:12:23 pop sshd[2953]: Illegal user data from
212.78.79.20
Dec 22 04:12:25 pop sshd[2955]: Illegal user user from
212.78.79.20
Dec 22 04:12:27 pop sshd[2957]: Illegal user user from
212.78.79.20
Dec 22 04:12:28 pop sshd[2959]: Illegal user user from
212.78.79.20
Dec 22 04:12:30 pop sshd[2961]: Illegal user web from
212.78.79.20
Dec 22 04:12:32 pop sshd[2963]: Illegal user web from
212.78.79.20
Dec 22 04:12:34 pop sshd[2965]: Illegal user oracle
from 212.78.79.20
Dec 22 04:12:36 pop sshd[2967]: Illegal user sybase
from 212.78.79.20
Dec 22 04:12:38 pop sshd[2969]: Illegal user master
from 212.78.79.20
Dec 22 04:12:40 pop sshd[2971]: Illegal user account
from 212.78.79.20
Dec 22 04:12:42 pop sshd[2973]: Illegal user backup
from 212.78.79.20
Dec 22 04:12:44 pop sshd[2975]: Illegal user server
from 212.78.79.20
Dec 22 04:12:46 pop sshd[2977]: Illegal user adam from
212.78.79.20
Dec 22 04:12:48 pop sshd[2979]: Illegal user alan from
212.78.79.20
Dec 22 04:12:49 pop sshd[2981]: Illegal user frank
from 212.78.79.20
Dec 22 04:12:51 pop sshd[2983]: Illegal user george
from 212.78.79.20
Dec 22 04:12:53 pop sshd[2985]: Illegal user henry
from 212.78.79.20
Dec 22 04:12:55 pop sshd[2987]: Illegal user john from
212.78.79.20
Dec 22 04:12:59 pop sshd[2989]: Failed password for
root from
212.78.79.20 port 41767 ssh2
Dec 22 04:13:04 pop sshd[2991]: Failed password for
root from
212.78.79.20 port 42212 ssh2
Dec 22 04:13:08 pop sshd[2993]: Failed password for
root from
212.78.79.20 port 42646 ssh2
Dec 22 04:13:12 pop sshd[2995]: Failed password for
root from
212.78.79.20 port 43095 ssh2
Dec 22 04:13:16 pop sshd[2997]: Failed password for
root from
212.78.79.20 port 43527 ssh2
Dec 22 04:13:18 pop sshd[2999]: Illegal user test from
212.78.79.20
Dec 22 08:23:03 pop sshd[3219]: Accepted password for
root from
212.78.79.20 port 40528 ssh2
Est ce que j'ai attaqué ?
=====
----------------------------------------------------------------------
KOUAME KOUAKOU Charles Jonas
Cette action est irreversible, confirmez la suppression du commentaire ?
Signaler le commentaire
Veuillez sélectionner un problème
Nudité
Violence
Harcèlement
Fraude
Vente illégale
Discours haineux
Terrorisme
Autre
pascal
charlonet a écrit :
Slt,
Salut !
212.78.79.20 port 43095 ssh2 Dec 22 04:13:16 pop sshd[2997]: Failed password for root from 212.78.79.20 port 43527 ssh2 Dec 22 04:13:18 pop sshd[2999]: Illegal user test from 212.78.79.20 Dec 22 08:23:03 pop sshd[3219]: Accepted password for root from 212.78.79.20 port 40528 ssh2
Tu as permis les connexions sous root via ssh ? Heu à mon humble avis...Quelqu'un a fait de multiples tentatives et apparemment a réussi à se connecter... De plus host 212.78.79.20 : Host 20.79.78.212.in-addr.arpa not found: 3(NXDOMAIN) Il va falloir songer à faire le ménage ! Et interdit les connexions sous root PermitRootLogin no <--- dans /etc/sshd_config Pascal -- "L'avenir, c'est à l'avance qu'il faut y penser." R. Brautigan
-- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench
Pensez à rajouter le mot ``spam'' dans vos champs "From" et "Reply-To:"
To UNSUBSCRIBE, email to with a subject of "unsubscribe". Trouble? Contact
charlonet a écrit :
Slt,
Salut !
212.78.79.20 port 43095 ssh2
Dec 22 04:13:16 pop sshd[2997]: Failed password for
root from
212.78.79.20 port 43527 ssh2
Dec 22 04:13:18 pop sshd[2999]: Illegal user test from
212.78.79.20
Dec 22 08:23:03 pop sshd[3219]: Accepted password for
root from
212.78.79.20 port 40528 ssh2
Tu as permis les connexions sous root via ssh ?
Heu à mon humble avis...Quelqu'un a fait de multiples tentatives et
apparemment a réussi à se connecter...
De plus
host 212.78.79.20 :
Host 20.79.78.212.in-addr.arpa not found: 3(NXDOMAIN)
Il va falloir songer à faire le ménage !
Et interdit les connexions sous root
PermitRootLogin no <--- dans /etc/sshd_config
Pascal
--
"L'avenir, c'est à l'avance qu'il faut y penser."
R. Brautigan
--
Pensez à lire la FAQ de la liste avant de poser une question :
http://wiki.debian.net/?DebianFrench
Pensez à rajouter le mot ``spam'' dans vos champs "From" et "Reply-To:"
To UNSUBSCRIBE, email to debian-user-french-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
212.78.79.20 port 43095 ssh2 Dec 22 04:13:16 pop sshd[2997]: Failed password for root from 212.78.79.20 port 43527 ssh2 Dec 22 04:13:18 pop sshd[2999]: Illegal user test from 212.78.79.20 Dec 22 08:23:03 pop sshd[3219]: Accepted password for root from 212.78.79.20 port 40528 ssh2
Tu as permis les connexions sous root via ssh ? Heu à mon humble avis...Quelqu'un a fait de multiples tentatives et apparemment a réussi à se connecter... De plus host 212.78.79.20 : Host 20.79.78.212.in-addr.arpa not found: 3(NXDOMAIN) Il va falloir songer à faire le ménage ! Et interdit les connexions sous root PermitRootLogin no <--- dans /etc/sshd_config Pascal -- "L'avenir, c'est à l'avance qu'il faut y penser." R. Brautigan
-- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench
Pensez à rajouter le mot ``spam'' dans vos champs "From" et "Reply-To:"
To UNSUBSCRIBE, email to with a subject of "unsubscribe". Trouble? Contact
Mardaga Stephan
pascal a écrit :
charlonet a écrit :
Slt,
Salut !
212.78.79.20 port 43095 ssh2 Dec 22 04:13:16 pop sshd[2997]: Failed password for root from 212.78.79.20 port 43527 ssh2 Dec 22 04:13:18 pop sshd[2999]: Illegal user test from 212.78.79.20 Dec 22 08:23:03 pop sshd[3219]: Accepted password for root from 212.78.79.20 port 40528 ssh2
Tu as permis les connexions sous root via ssh ? Heu à mon humble avis...Quelqu'un a fait de multiples tentatives et apparemment a réussi à se connecter... De plus host 212.78.79.20 : Host 20.79.78.212.in-addr.arpa not found: 3(NXDOMAIN) Il va falloir songer à faire le ménage ! Et interdit les connexions sous root PermitRootLogin no <--- dans /etc/sshd_config Pascal
ou accepter des connections SSH seulement localement :
dans sshd_config : ListenAddress 192.168.1.1
Stephan
-- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench
Pensez à rajouter le mot ``spam'' dans vos champs "From" et "Reply-To:"
To UNSUBSCRIBE, email to with a subject of "unsubscribe". Trouble? Contact
pascal a écrit :
charlonet a écrit :
Slt,
Salut !
212.78.79.20 port 43095 ssh2
Dec 22 04:13:16 pop sshd[2997]: Failed password for
root from
212.78.79.20 port 43527 ssh2
Dec 22 04:13:18 pop sshd[2999]: Illegal user test from
212.78.79.20
Dec 22 08:23:03 pop sshd[3219]: Accepted password for
root from
212.78.79.20 port 40528 ssh2
Tu as permis les connexions sous root via ssh ?
Heu à mon humble avis...Quelqu'un a fait de multiples tentatives et
apparemment a réussi à se connecter...
De plus
host 212.78.79.20 :
Host 20.79.78.212.in-addr.arpa not found: 3(NXDOMAIN)
Il va falloir songer à faire le ménage !
Et interdit les connexions sous root
PermitRootLogin no <--- dans /etc/sshd_config
Pascal
ou accepter des connections SSH seulement localement :
dans sshd_config : ListenAddress 192.168.1.1
Stephan
--
Pensez à lire la FAQ de la liste avant de poser une question :
http://wiki.debian.net/?DebianFrench
Pensez à rajouter le mot ``spam'' dans vos champs "From" et "Reply-To:"
To UNSUBSCRIBE, email to debian-user-french-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
212.78.79.20 port 43095 ssh2 Dec 22 04:13:16 pop sshd[2997]: Failed password for root from 212.78.79.20 port 43527 ssh2 Dec 22 04:13:18 pop sshd[2999]: Illegal user test from 212.78.79.20 Dec 22 08:23:03 pop sshd[3219]: Accepted password for root from 212.78.79.20 port 40528 ssh2
Tu as permis les connexions sous root via ssh ? Heu à mon humble avis...Quelqu'un a fait de multiples tentatives et apparemment a réussi à se connecter... De plus host 212.78.79.20 : Host 20.79.78.212.in-addr.arpa not found: 3(NXDOMAIN) Il va falloir songer à faire le ménage ! Et interdit les connexions sous root PermitRootLogin no <--- dans /etc/sshd_config Pascal
ou accepter des connections SSH seulement localement :
dans sshd_config : ListenAddress 192.168.1.1
Stephan
-- Pensez à lire la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench
Pensez à rajouter le mot ``spam'' dans vos champs "From" et "Reply-To:"
To UNSUBSCRIBE, email to with a subject of "unsubscribe". Trouble? Contact
Dec 22 08:24:05 pop kernel: device eth0 entered promiscuous mode
Avez-vous lancé tcpdump ou autre logiciel du même acabi ? Si non, c'est en effet un indice d'une activité malveillante sur un serve ur (sniffing)
(...)
Dec 22 04:13:16 pop sshd[2997]: Failed password for root from 212.78.79.20 port 43527 ssh2 Dec 22 08:23:03 pop sshd[3219]: Accepted password for root from 212.78.79.20 port 40528 ssh2
A première vue je dirais qu'un attaquant a réussi à deviner votre mot de passe root (je vous conseille à l'avenir d'interdire les connexions root à distance). A votre place je considérerai cez deux machines comme compromi ses, l'intégrité du système ne peut donc être assurée.
Dec 22 08:24:05 pop kernel: device eth0 entered
promiscuous mode
Avez-vous lancé tcpdump ou autre logiciel du même acabi ?
Si non, c'est en effet un indice d'une activité malveillante sur un serve ur
(sniffing)
(...)
Dec 22 04:13:16 pop sshd[2997]: Failed password for
root from
212.78.79.20 port 43527 ssh2
Dec 22 08:23:03 pop sshd[3219]: Accepted password for
root from
212.78.79.20 port 40528 ssh2
A première vue je dirais qu'un attaquant a réussi à deviner votre mot de passe
root (je vous conseille à l'avenir d'interdire les connexions root à
distance). A votre place je considérerai cez deux machines comme compromi ses,
l'intégrité du système ne peut donc être assurée.
Dec 22 08:24:05 pop kernel: device eth0 entered promiscuous mode
Avez-vous lancé tcpdump ou autre logiciel du même acabi ? Si non, c'est en effet un indice d'une activité malveillante sur un serve ur (sniffing)
(...)
Dec 22 04:13:16 pop sshd[2997]: Failed password for root from 212.78.79.20 port 43527 ssh2 Dec 22 08:23:03 pop sshd[3219]: Accepted password for root from 212.78.79.20 port 40528 ssh2
A première vue je dirais qu'un attaquant a réussi à deviner votre mot de passe root (je vous conseille à l'avenir d'interdire les connexions root à distance). A votre place je considérerai cez deux machines comme compromi ses, l'intégrité du système ne peut donc être assurée.
