Logwatch

***Shrekkie*** · August 12th, 2004, 12:23 PM

I have had lots of hits last couple of days too, a grab from my logs :

Code:

Aug 11 19:09:42 [sshd] Illegal user test from ::ffff:61.40.11.45
Aug 11 19:09:42 [sshd] error: Could not get shadow information for NOUSER
Aug 11 19:09:42 [sshd] Failed password for illegal user test from ::ffff:61.40.11.45 port 33094 ssh2
Aug 11 19:09:44 [sshd] User guest not allowed because shell /dev/null is not executable
Aug 11 19:09:44 [sshd] error: Could not get shadow information for NOUSER
Aug 11 19:09:44 [sshd] Failed password for illegal user guest from ::ffff:61.40.11.45 port 33166 ssh2
Aug 11 19:09:47 [sshd] Illegal user admin from ::ffff:61.40.11.45
Aug 11 19:09:47 [sshd] error: Could not get shadow information for NOUSER
Aug 11 19:09:47 [sshd] Failed password for illegal user admin from ::ffff:61.40.11.45 port 33236 ssh2
Aug 11 19:09:50 [sshd] Illegal user admin from ::ffff:61.40.11.45
Aug 11 19:09:50 [sshd] error: Could not get shadow information for NOUSER
Aug 11 19:09:50 [sshd] Failed password for illegal user admin from ::ffff:61.40.11.45 port 33305 ssh2
Aug 11 19:09:53 [sshd] Illegal user user from ::ffff:61.40.11.45
Aug 11 19:09:53 [sshd] error: Could not get shadow information for NOUSER
Aug 11 19:09:53 [sshd] Failed password for illegal user user from ::ffff:61.40.11.45 port 33376 ssh2
Aug 11 19:09:57 [sshd] Failed password for root from ::ffff:61.40.11.45 port 33477 ssh2
Aug 11 19:09:59 [sshd] Failed password for root from ::ffff:61.40.11.45 port 33565 ssh2
Aug 11 19:10:02 [sshd] Failed password for root from ::ffff:61.40.11.45 port 33623 ssh2
Aug 11 19:10:05 [sshd] Illegal user test from ::ffff:61.40.11.45
Aug 11 19:10:05 [sshd] error: Could not get shadow information for NOUSER
Aug 11 19:10:05 [sshd] Failed password for illegal user test from ::ffff:61.40.11.45 port 33675 ssh2
Aug 12 04:46:28 [sshd] Illegal user test from ::ffff:217.160.240.131
Aug 12 04:46:28 [sshd] error: Could not get shadow information for NOUSER
Aug 12 04:46:28 [sshd] Failed password for illegal user test from ::ffff:217.160.240.131 port 37016 ssh2
Aug 12 04:46:29 [sshd] User guest not allowed because shell /dev/null is not executable
Aug 12 04:46:29 [sshd] error: Could not get shadow information for NOUSER
Aug 12 04:46:29 [sshd] Failed password for illegal user guest from ::ffff:217.160.240.131 port 37084 ssh2
Aug 12 04:46:30 [sshd] Illegal user admin from ::ffff:217.160.240.131
Aug 12 04:46:30 [sshd] error: Could not get shadow information for NOUSER
Aug 12 04:46:30 [sshd] Failed password for illegal user admin from ::ffff:217.160.240.131 port 37130 ssh2
Aug 12 04:46:31 [sshd] Illegal user admin from ::ffff:217.160.240.131
Aug 12 04:46:31 [sshd] error: Could not get shadow information for NOUSER
Aug 12 04:46:31 [sshd] Failed password for illegal user admin from ::ffff:217.160.240.131 port 37193 ssh2
Aug 12 04:46:32 [sshd] Illegal user user from ::ffff:217.160.240.131
Aug 12 04:46:32 [sshd] error: Could not get shadow information for NOUSER
Aug 12 04:46:32 [sshd] Failed password for illegal user user from ::ffff:217.160.240.131 port 37236 ssh2
Aug 12 04:46:33 [sshd] Failed password for root from ::ffff:217.160.240.131 port 37280 ssh2
Aug 12 04:46:34 [sshd] Failed password for root from ::ffff:217.160.240.131 port 37329 ssh2
Aug 12 04:46:35 [sshd] Failed password for root from ::ffff:217.160.240.131 port 37380 ssh2
Aug 12 04:46:35 [sshd] Illegal user test from ::ffff:217.160.240.131
Aug 12 04:46:35 [sshd] error: Could not get shadow information for NOUSER
Aug 12 04:46:35 [sshd] Failed password for illegal user test from ::ffff:217.160.240.131 port 37414 ssh2
Aug 12 08:56:15 [sshd] Illegal user test from ::ffff:161.116.73.218
Aug 12 08:56:15 [sshd] error: Could not get shadow information for NOUSER
Aug 12 08:56:15 [sshd] Failed password for illegal user test from ::ffff:161.116.73.218 port 38392 ssh2
Aug 12 08:56:15 [sshd] User guest not allowed because shell /dev/null is not executable
Aug 12 08:56:15 [sshd] error: Could not get shadow information for NOUSER
Aug 12 08:56:15 [sshd] Failed password for illegal user guest from ::ffff:161.116.73.218 port 38440 ssh2
Aug 12 08:56:16 [sshd] Illegal user admin from ::ffff:161.116.73.218
Aug 12 08:56:16 [sshd] error: Could not get shadow information for NOUSER
Aug 12 08:56:16 [sshd] Failed password for illegal user admin from ::ffff:161.116.73.218 port 38475 ssh2
Aug 12 08:56:17 [sshd] Illegal user admin from ::ffff:161.116.73.218
Aug 12 08:56:17 [sshd] error: Could not get shadow information for NOUSER
Aug 12 08:56:17 [sshd] Failed password for illegal user admin from ::ffff:161.116.73.218 port 38516 ssh2
Aug 12 08:56:17 [sshd] Illegal user user from ::ffff:161.116.73.218
Aug 12 08:56:17 [sshd] error: Could not get shadow information for NOUSER
Aug 12 08:56:17 [sshd] Failed password for illegal user user from ::ffff:161.116.73.218 port 38557 ssh2
Aug 12 08:56:18 [sshd] Failed password for root from ::ffff:161.116.73.218 port 38592 ssh2
Aug 12 08:56:19 [sshd] Failed password for root from ::ffff:161.116.73.218 port 38635 ssh2
Aug 12 08:56:19 [sshd] Failed password for root from ::ffff:161.116.73.218 port 38673 ssh2
Aug 12 08:56:20 [sshd] Illegal user test from ::ffff:161.116.73.218
Aug 12 08:56:20 [sshd] error: Could not get shadow information for NOUSER
Aug 12 08:56:20 [sshd] Failed password for illegal user test from ::ffff:161.116.73.218 port 38715 ssh2
Aug 12 11:29:46 [sshd] Did not receive identification string from ::ffff:67.19.83.100
Aug 12 11:40:49 [sshd] Illegal user test from ::ffff:67.19.83.100
Aug 12 11:40:49 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:49 [sshd] error: Could not get shadow information for NOUSER
Aug 12 11:40:49 [sshd] Failed password for illegal user test from ::ffff:67.19.83.100 port 49800 ssh2
Aug 12 11:40:50 [sshd] User guest not allowed because shell /dev/null is not executable
Aug 12 11:40:51 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:51 [sshd] error: Could not get shadow information for NOUSER
Aug 12 11:40:51 [sshd] Failed password for illegal user guest from ::ffff:67.19.83.100 port 49852 ssh2
Aug 12 11:40:52 [sshd] Illegal user admin from ::ffff:67.19.83.100
Aug 12 11:40:52 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:52 [sshd] error: Could not get shadow information for NOUSER
Aug 12 11:40:52 [sshd] Failed password for illegal user admin from ::ffff:67.19.83.100 port 49910 ssh2
Aug 12 11:40:53 [sshd] Illegal user admin from ::ffff:67.19.83.100
Aug 12 11:40:53 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:53 [sshd] error: Could not get shadow information for NOUSER
Aug 12 11:40:53 [sshd] Failed password for illegal user admin from ::ffff:67.19.83.100 port 49965 ssh2
Aug 12 11:40:54 [sshd] Illegal user user from ::ffff:67.19.83.100
Aug 12 11:40:55 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:55 [sshd] error: Could not get shadow information for NOUSER
Aug 12 11:40:55 [sshd] Failed password for illegal user user from ::ffff:67.19.83.100 port 50008 ssh2
Aug 12 11:40:56 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:56 [sshd] Failed password for root from ::ffff:67.19.83.100 port 50093 ssh2
Aug 12 11:40:57 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:57 [sshd] Failed password for root from ::ffff:67.19.83.100 port 50537 ssh2
Aug 12 11:40:58 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:58 [sshd] Failed password for root from ::ffff:67.19.83.100 port 50579 ssh2
Aug 12 11:40:59 [sshd] Illegal user test from ::ffff:67.19.83.100
Aug 12 11:40:59 [sshd] reverse mapping checking getaddrinfo for 100.67-19-83.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 12 11:40:59 [sshd] error: Could not get shadow information for NOUSER
Aug 12 11:40:59 [sshd] Failed password for illegal user test from ::ffff:67.19.83.100 port 50616 ssh2

I had found a part of the script by reversing towards one of the ip's :

Here's its code :

Code:

#!/bin/sh
if [ $# != 1 ]
then
    echo "Se da asa:"
    echo "$0 &lt;clasa b&gt;"
    echo "Exemplu:"
    echo "$0 212.93"
    echo "Daca nu prindeti ... verificati in fisieru asta sa fie pusa placa de retea care trebe adika eth0, eth1, ppp0 etc "
    exit
fi
rm -f bios.txt vuln.txt uniq.txt
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq &gt; uniq.txt
./haita

You can find the ./haita and ./ss in the attached tar.

Anyway seems not very harmfull yet annoying.

Can anyone explain me what's with the reverse mapping the log gives ?
is it an unmatched revers DNS or what ?

Greetz,

Thread: Logwatch

Thread Tools

Display

Threaded View

Posting Permissions