[linux-l] Portscanner

Olaf Radicke olaf_rad at gmx.de
Fr Okt 7 15:27:42 CEST 2005 

Am Freitag, 7. Oktober 2005 14:34 schrieb Manuel Tennert:
[.. ]
> Hallo Olaf,
>
> Eine Frage von mir: wie hast Du das herausgefunden? 

Root bekommt E-Mails von watchdog-d

> Durch die logs? 

Die Logs bestätigen das.

> Wenn ja  
> in welchen hast Du nachgesehen und welchen Inhalt hatten diese?

<schnipp /var/log/secure>

[...]
Oct  5 01:11:04 localhost sshd[5725]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:11:06 localhost sshd[5725]: Failed password for invalid user 
anonymous from ::ffff:72.20.1.66 port 47775 ssh2
[...]
Oct  5 01:11:20 localhost sshd[5735]: Invalid user mysql 
from ::ffff:72.20.1.66
Oct  5 01:11:20 localhost sshd[5735]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:11:22 localhost sshd[5735]: Failed password for invalid user mysql 
from ::ffff:72.20.1.66 port 49584 ssh2
Oct  5 01:11:24 localhost sshd[5738]: Invalid user mysql 
from ::ffff:72.20.1.66
Oct  5 01:11:24 localhost sshd[5738]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:11:26 localhost sshd[5738]: Failed password for invalid user mysql 
from ::ffff:72.20.1.66 port 50005 ssh2
Oct  5 01:11:28 localhost sshd[5741]: Invalid user mysql 
from ::ffff:72.20.1.66
Oct  5 01:11:28 localhost sshd[5741]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:11:30 localhost sshd[5741]: Failed password for invalid user mysql 
from ::ffff:72.20.1.66 port 50477 ssh2
[...]
Oct  5 01:12:08 localhost sshd[5763]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:10 localhost sshd[5763]: Failed password for root 
from ::ffff:72.20.1.66 port 54930 ssh2
Oct  5 01:12:12 localhost sshd[5765]: Invalid user carol 
from ::ffff:72.20.1.66
Oct  5 01:12:12 localhost sshd[5765]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:14 localhost sshd[5765]: Failed password for invalid user carol 
from ::ffff:72.20.1.66 port 55310 ssh2
Oct  5 01:12:16 localhost sshd[5768]: Invalid user cesar 
from ::ffff:72.20.1.66
Oct  5 01:12:16 localhost sshd[5768]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:18 localhost sshd[5768]: Failed password for invalid user cesar 
from ::ffff:72.20.1.66 port 55760 ssh2
Oct  5 01:12:20 localhost sshd[5771]: Invalid user clark 
from ::ffff:72.20.1.66
Oct  5 01:12:20 localhost sshd[5771]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:22 localhost sshd[5771]: Failed password for invalid user clark 
from ::ffff:72.20.1.66 port 56390 ssh2
Oct  5 01:12:24 localhost sshd[5774]: Invalid user clinton 
from ::ffff:72.20.1.66
Oct  5 01:12:24 localhost sshd[5774]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:26 localhost sshd[5774]: Failed password for invalid user clinton 
from ::ffff:72.20.1.66 port 57754 ssh2
Oct  5 01:12:28 localhost sshd[5777]: Invalid user kayla 
from ::ffff:72.20.1.66
Oct  5 01:12:28 localhost sshd[5777]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:30 localhost sshd[5777]: Failed password for invalid user kayla 
from ::ffff:72.20.1.66 port 58254 ssh2
Oct  5 01:12:32 localhost sshd[5780]: Invalid user russ from ::ffff:72.20.1.66
Oct  5 01:12:32 localhost sshd[5780]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:34 localhost sshd[5780]: Failed password for invalid user russ 
from ::ffff:72.20.1.66 port 58940 ssh2
Oct  5 01:12:36 localhost sshd[5783]: Invalid user white 
from ::ffff:72.20.1.66
Oct  5 01:12:36 localhost sshd[5783]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:38 localhost sshd[5783]: Failed password for invalid user white 
from ::ffff:72.20.1.66 port 59839 ssh2
Oct  5 01:12:40 localhost sshd[5786]: Invalid user danny 
from ::ffff:72.20.1.66
Oct  5 01:12:40 localhost sshd[5786]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:42 localhost sshd[5786]: Failed password for invalid user danny 
from ::ffff:72.20.1.66 port 60413 ssh2
Oct  5 01:12:44 localhost sshd[5789]: Invalid user filip 
from ::ffff:72.20.1.66
Oct  5 01:12:44 localhost sshd[5789]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:46 localhost sshd[5789]: Failed password for invalid user filip 
from ::ffff:72.20.1.66 port 32909 ssh2
Oct  5 01:12:48 localhost sshd[5792]: Invalid user stephanie 
from ::ffff:72.20.1.66
Oct  5 01:12:48 localhost sshd[5792]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:50 localhost sshd[5792]: Failed password for invalid user 
stephanie from ::ffff:72.20.1.66 port 33856 ssh2
Oct  5 01:12:52 localhost sshd[5795]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
Oct  5 01:12:54 localhost sshd[5795]: Failed password for root 
from ::ffff:72.20.1.66 port 34395 ssh2
[...]
Oct  5 01:38:17 localhost sshd[7133]: Failed password for root 
from ::ffff:72.20.1.66 port 49464 ssh2
Oct  5 01:38:18 localhost sshd[7253]: reverse mapping checking getaddrinfo 
for . failed - POSSIBLE BREAKIN ATTEMPT!
[...]

<schnapp /var/log/secure>

MfG
Olaf

Mehr Informationen über die Mailingliste linux-l