What kind of attack is this? [Archive]

View Full Version : What kind of attack is this?

ffeingol

02-02-2002, 05:22 PM

These showed up in my log last night:

Feb 1 22:06:15 *** login[28361]: FAILED LOGIN 1 FROM **.**.** FOR anao^H^H, User not known to the underlying authentication module
Feb 1 22:06:23 *** login[28361]: FAILED LOGIN 2 FROM **.**.** FOR anonymous, User not known to the underlying authentication module
Feb 1 22:06:34 *** login[28361]: FAILED LOGIN 3 FROM **.**.** FOR seth, User not known to the underlying authentication module
Feb 1 22:06:48 *** login[28361]: FAILED LOGIN SESSION FROM **.**.** FOR es^Hxit, User not known to the underlying authentication module

(I've **'ed out certain details).

As far as I can tell, they never actually made it onto my box. My question is how were they trying to connect. I have very few ports open and those deamons log the daemon name into the log.

TIA,

Frank

Jackmaninov

02-02-2002, 06:11 PM

Did the points you ***'ed out contain any information on what port the presumed attacker was trying to connect to? If logon attempts were being made, I would assume they were attempts to connect to Telnet/SSH or FTP.

However, those lines don't really look like attacks. They appear to be nothing more than failed login attempts; whoever did them was using non-existant usernames, and hence couldn't log in.

Not a big deal really. Maybe someone typed an IP into their FTP/SSH client incorrectly and got the wrong server....

ffeingol

02-02-2002, 06:26 PM

The ** are just my host name and the host name that they come from. There is no telnet on this box. ssh and ftp are both running as deamons and put "sshd" and "ftpd" in the log records.

"login" (the name bfore the process ID) is what wrote these log records. I'm just not sure what process would write "login" records.

Frank

allan

02-02-2002, 10:19 PM

Frank -- are you using pam authentication?

ffeingol

02-02-2002, 10:33 PM

Sorry, I'm not going to give that kind of info out in a public forum :(

Frank

Dylan

02-02-2002, 10:49 PM

ffeingol, you can always send uuallan a PM ;)

ffeingol

02-02-2002, 11:31 PM

I did :D

Frank

bitserve

02-03-2002, 02:55 AM

Wouldn't rlogind show those "login" messages? Port 513?

Ahmad

02-03-2002, 01:42 PM

anao^H^H
anonymous
seth
es^Hxit

^H is due to the user pressing backspace, for the last attemp shown above, you can see that a user probably wanted to login then he changed his mind, so he wrote "exit" thinking that it will get him out of the login screen, then instead of writing the 'x' he wrote 's', so now he presses backspace, shown as ^H, then he presses x, thinking that the backspace deleted the 's', and continue typing 'exit' ..

If you've got a lot of them from the same IP, then it might be a brute force attack made by an idiot :)

don't depend on what i'm saying though, it could be something more seriouse.