On 14/12/06, Andres Baravalle <andres.baravalle at gmail.com> wrote: > Hi everyone, > I have some very strange information in my /var/log/secure: > > find /var/log | xargs grep -i 62.149.129.73 2>/dev/null > /var/log/secure:Dec 13 21:32:38 baravalle xinetd[1219]: START: smtp > pid=26049 from=62.149.129.73 > /var/log/secure:Dec 13 21:32:38 baravalle sshd[26048]: Did not receive > identification string from ::ffff:62.149.129.73 > /var/log/secure:Dec 13 20:33:33 baravalle sshd[26059]: Failed none for > invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > /var/log/secure:Dec 13 21:33:42 baravalle sshd[26058]: Failed password > for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > /var/log/secure:Dec 13 20:33:42 baravalle sshd[26059]: Failed password > for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2 > > Apparently someone tried to log in with a user name (I changed the > username here). I don't like the timestamps: 21:32:38, 20:33:33, > 21:33:42, 20:33:42. > > Why is that? > > By the way, most probably the access has been done by my provider. > They are denying it, but there is overwhelming evidence: the username > used is the one that they gave me, which is the word admin and a > string of 7 digits. The username should be known just by me, my > business partner and my provider. The username was anyway invalid in > the system, because I had disabled SSH access from all users but the > ones in a group. Nevertheless, in their records, the provider had > another user name that I didn't disable (stupid me) because they did > some maintenance work not long ago. I can't see any access from the > correct user name since the last time I had authorised them to access > the server. We covered something similar a little while back. Don't know if it's the same problem you're seeing but this might help shed some light... http://lists.centos.org/pipermail/centos/2006-November/072459.html Will.