On 14/12/06, Andres Baravalle andres.baravalle@gmail.com wrote:
Hi everyone, I have some very strange information in my /var/log/secure:
find /var/log | xargs grep -i 62.149.129.73 2>/dev/null /var/log/secure:Dec 13 21:32:38 baravalle xinetd[1219]: START: smtp pid=26049 from=62.149.129.73 /var/log/secure:Dec 13 21:32:38 baravalle sshd[26048]: Did not receive identification string from ::ffff:62.149.129.73 /var/log/secure:Dec 13 20:33:33 baravalle sshd[26059]: Failed none for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 /var/log/secure:Dec 13 21:33:42 baravalle sshd[26058]: Failed password for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 /var/log/secure:Dec 13 20:33:42 baravalle sshd[26059]: Failed password for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2
Apparently someone tried to log in with a user name (I changed the username here). I don't like the timestamps: 21:32:38, 20:33:33, 21:33:42, 20:33:42.
Why is that?
By the way, most probably the access has been done by my provider. They are denying it, but there is overwhelming evidence: the username used is the one that they gave me, which is the word admin and a string of 7 digits. The username should be known just by me, my business partner and my provider. The username was anyway invalid in the system, because I had disabled SSH access from all users but the ones in a group. Nevertheless, in their records, the provider had another user name that I didn't disable (stupid me) because they did some maintenance work not long ago. I can't see any access from the correct user name since the last time I had authorised them to access the server.
We covered something similar a little while back. Don't know if it's the same problem you're seeing but this might help shed some light...
http://lists.centos.org/pipermail/centos/2006-November/072459.html
Will.