is this an intruder?

Marty Landman mlandman at face2interface.com
Wed Jan 4 18:04:02 UTC 2006 

Here's what I'm seeing on /var/log/messages:

Jan  4 11:00:00 BANYAN wvdial[3573]: Carrier detected.  Chatmode finished.
Jan  4 11:00:00 BANYAN pppd[3563]: Serial connection established.
Jan  4 11:00:00 BANYAN pppd[3563]: Connect: ppp0 <--> /dev/ttyS1
Jan  4 11:00:05 BANYAN modprobe: modprobe: Can't locate module ppp-compress-21
Jan  4 11:00:05 BANYAN modprobe: modprobe: Can't locate module ppp-compress-21
Jan  4 11:00:05 BANYAN pppd[3563]: Remote IP address changed to 216.238.192.133
Jan  4 11:17:22 BANYAN sshd(pam_unix)[3624]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=ftp
Jan  4 11:17:36 BANYAN sshd(pam_unix)[3630]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=mail
Jan  4 11:18:12 BANYAN sshd(pam_unix)[3648]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=postgres
Jan  4 11:18:39 BANYAN sshd(pam_unix)[3662]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=xfs
Jan  4 11:18:45 BANYAN sshd(pam_unix)[3664]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=news
Jan  4 11:18:52 BANYAN sshd(pam_unix)[3666]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=lp
Jan  4 11:18:58 BANYAN sshd(pam_unix)[3668]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=rpc
Jan  4 11:19:04 BANYAN sshd(pam_unix)[3670]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=rpcuser
Jan  4 11:19:10 BANYAN sshd(pam_unix)[3672]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=uucp
Jan  4 11:19:52 BANYAN sshd(pam_unix)[3694]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=nscd
Jan  4 11:19:58 BANYAN sshd(pam_unix)[3696]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=mailnull
Jan  4 11:20:04 BANYAN sshd(pam_unix)[3698]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=smmsp
Jan  4 11:20:10 BANYAN sshd(pam_unix)[3700]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=pcap
Jan  4 11:20:23 BANYAN sshd(pam_unix)[3706]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=vcsa
Jan  4 11:20:29 BANYAN sshd(pam_unix)[3708]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=squid
Jan  4 11:21:55 BANYAN sshd(pam_unix)[3756]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=sshd
Jan  4 11:22:18 BANYAN sshd(pam_unix)[3768]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=desktop
Jan  4 11:25:44 BANYAN sshd(pam_unix)[3887]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=gdm
Jan  4 11:26:42 BANYAN sshd(pam_unix)[3919]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=rpm
Jan  4 11:27:39 BANYAN sshd(pam_unix)[3951]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=212.20.204.10  user=ntp
Jan  4 12:14:35 BANYAN sshd(pam_unix)[3452]: session closed for user marty


Here's the end of a traceroute for the rhost:

10  pos5-0.2488M.albnxg1.ip.tele.dk (83.88.26.5)  288.137 ms  288.986 
ms  268.915 ms
11  pos6-0.2488M.albnxg7.ip.tele.dk (83.88.12.74)  267.786 ms  258.239 
ms  259.015 ms
12  pos5-0.cop-p1.dk.sn.net (195.215.109.66)  248.001 ms  268.197 
ms  258.937 ms
13  80.239.104.58 (80.239.104.58)  278.789 ms  268.428 ms  268.851 ms
14  212.20.204.21 (212.20.204.21)  268.051 ms  279.010 ms  278.904 ms
15  * * *


Not sure if I'm reading this right as this is new to me but it appears 
someone in Denmark spent about 10 minutes trying a variety of userid's to 
start an ssh session on my network gateway.


Marty


Marty Landman, Face 2 Interface Inc. 845-679-9387
Webmaster's Bulletin Board: http://bbs.face2interface.com/
Web Installed Formmail: http://face2interface.com/formINSTal

More information about the redhat-list mailing list