sshd:
Authentication Failures:
unknown (games1.wdc1.speakeasy.net): 555 Time(s)
root (games1.wdc1.speakeasy.net): 15 Time(s)
squid (games1.wdc1.speakeasy.net): 7 Time(s)
dovecot (games1.wdc1.speakeasy.net): 5 Time(s)
gopher (games1.wdc1.speakeasy.net): 5 Time(s)
sync (games1.wdc1.speakeasy.net): 3 Time(s)
mysql (games1.wdc1.speakeasy.net): 2 Time(s)
adm (games1.wdc1.speakeasy.net): 1 Time(s)
apache (games1.wdc1.speakeasy.net): 1 Time(s)
daemon (games1.wdc1.speakeasy.net): 1 Time(s)
ftp (games1.wdc1.speakeasy.net): 1 Time(s)
games (games1.wdc1.speakeasy.net): 1 Time(s)
mail (games1.wdc1.speakeasy.net): 1 Time(s)
mailman (games1.wdc1.speakeasy.net): 1 Time(s)
mailnull (games1.wdc1.speakeasy.net): 1 Time(s)
nobody (games1.wdc1.speakeasy.net): 1 Time(s)
postfix (games1.wdc1.speakeasy.net): 1 Time(s)
postgres (games1.wdc1.speakeasy.net): 1 Time(s)
rpc (games1.wdc1.speakeasy.net): 1 Time(s)
rpcuser (games1.wdc1.speakeasy.net): 1 Time(s)
rpm (games1.wdc1.speakeasy.net): 1 Time(s)
Failed logins from:
66.92.159.6 (games1.wdc1.speakeasy.net): 102 times
Illegal users from:
66.92.159.6 (games1.wdc1.speakeasy.net): 1110 times
[bunch of failed logins omitted]
Why does this suggest that the machine has been compromised? It's the
*successful* logins that I'd worry about.
I see this SSH attack all the time on my own machines. Since I have
disabled passwords (i.e., I require public key authentication), and in
any event none of the standard accounts are enabled, they don't bother
me at all.
If I worried about every failed attack on my systems, well, I wouldn't
get much work done. I only care about the *successful* ones.
> Bruno Wolff III wrote:
>> The folowing log entries strongly suggest that games1.wdc1.speakeasy.net
>> has been compromised:
>
> [bunch of failed logins omitted]
>
> Why does this suggest that the machine has been compromised? It's the
> *successful* logins that I'd worry about.
Bruno's machine is not the one that's compromised.
Figure it out.
Right. I was trying to give Speakeasy a heads up that what looked like might
be a server of theirs was compromised. I wasn't worried about my machine.
I normally don't bother with this as if I used spam contact IP addresses
to generate a fairly reliable list of compromised machines, I could provide
a list of over 400K machines that were compromised in the last month. But
since this machines name made it appear to be some sort of gaming server and
it appeared to belong to Speakeasy, I thought it was worth my time to report.
Eventually abuse acknowleged it, though it was odd that the normal support
people weren't interested in forwarding the report.
I posted it here, because once upon a time knowlegable Speakeasy support
staff used to read this group, and I thought if they saw it and the machine
was a server, that they might want to take care of the problem a little
faster than waiting for someone to wade through the abuse email.