From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 04:01:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CE5B16A4CE for ; Wed, 18 Aug 2004 04:01:32 +0000 (GMT) Received: from newman.alt-network.com (wsip-68-110-223-100.ks.ok.cox.net [68.110.223.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DE2243D49 for ; Wed, 18 Aug 2004 04:01:29 +0000 (GMT) (envelope-from freebsd@alt-network.com) Received: from [192.168.0.14] ([192.168.0.14])i7I41SSu011913 for ; Tue, 17 Aug 2004 23:01:28 -0500 (CDT) (envelope-from freebsd@alt-network.com) From: Justin To: freebsd-security@freebsd.org Date: Tue, 17 Aug 2004 23:01:28 -0500 User-Agent: KMail/1.6.2 References: <411CCAAE.7020505@beco.hu> In-Reply-To: <411CCAAE.7020505@beco.hu> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200408172301.28844.freebsd@alt-network.com> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on newman.alt-network.com Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 04:01:32 -0000 I'm seeing the same thing in my log. It makes me think it is a virus because test, guest, and admin are not normal unix users. Jul 17 04:14:13 newman sshd[2630]: Illegal user test from 129.194.21.5 Jul 17 04:14:14 newman sshd[2632]: Illegal user guest from 129.194.21.5 Jul 24 19:29:26 newman sshd[43831]: Illegal user test from 69.0.134.72 Jul 24 19:29:26 newman sshd[43838]: Illegal user guest from 69.0.134.72 Jul 24 19:29:27 newman sshd[43840]: Illegal user admin from 69.0.134.72 Jul 24 19:29:27 newman sshd[43842]: Illegal user admin from 69.0.134.72 Jul 24 19:29:27 newman sshd[43844]: Illegal user user from 69.0.134.72 Jul 24 19:29:33 newman sshd[43853]: Illegal user test from 69.0.134.72 Jul 24 21:17:05 newman sshd[45031]: Illegal user test from 202.6.75.195 Jul 24 21:17:07 newman sshd[45033]: Illegal user guest from 202.6.75.195 Jul 25 02:04:17 newman sshd[34873]: Illegal user test from 211.202.3.148 Jul 25 02:04:19 newman sshd[34875]: Illegal user guest from 211.202.3.148 Jul 28 12:09:17 newman sshd[16613]: Illegal user test from 65.61.98.16 Jul 28 12:09:18 newman sshd[16615]: Illegal user guest from 65.61.98.16 Jul 31 08:18:09 newman sshd[98113]: Illegal user test from 65.194.200.129 Jul 31 08:18:10 newman sshd[98116]: Illegal user guest from 65.194.200.129 Aug 1 22:47:50 newman sshd[1520]: Illegal user test from 202.114.73.4 Aug 1 22:47:53 newman sshd[1522]: Illegal user guest from 202.114.73.4 Aug 4 21:09:11 newman sshd[39267]: Illegal user test from 218.38.216.168 Aug 4 21:09:13 newman sshd[39269]: Illegal user guest from 218.38.216.168 Aug 7 13:53:00 newman sshd[15889]: Illegal user test from 64.246.20.43 Aug 7 13:53:00 newman sshd[15891]: Illegal user guest from 64.246.20.43 Aug 7 13:53:01 newman sshd[15893]: Illegal user admin from 64.246.20.43 Aug 7 14:00:37 newman sshd[15970]: Illegal user test from 64.246.20.43 Aug 7 14:00:38 newman sshd[15972]: Illegal user guest from 64.246.20.43 Aug 7 14:00:39 newman sshd[15974]: Illegal user admin from 64.246.20.43 Aug 7 14:00:40 newman sshd[15976]: Illegal user admin from 64.246.20.43 Aug 7 14:00:41 newman sshd[15978]: Illegal user user from 64.246.20.43 Aug 7 14:00:44 newman sshd[15986]: Illegal user test from 64.246.20.43 Aug 8 06:48:05 newman sshd[51656]: Illegal user test from 64.151.89.172 Aug 8 06:48:06 newman sshd[51658]: Illegal user guest from 64.151.89.172 Aug 8 06:48:07 newman sshd[51660]: Illegal user admin from 64.151.89.172 Aug 8 06:48:08 newman sshd[51662]: Illegal user admin from 64.151.89.172 Aug 8 06:48:08 newman sshd[51664]: Illegal user user from 64.151.89.172 Aug 8 06:48:12 newman sshd[51672]: Illegal user test from 64.151.89.172 Aug 9 09:33:57 newman sshd[9346]: Illegal user test from 211.241.101.137 Aug 9 09:33:59 newman sshd[9348]: Illegal user guest from 211.241.101.137 Aug 9 09:34:01 newman sshd[9350]: Illegal user admin from 211.241.101.137 Aug 9 09:34:03 newman sshd[9352]: Illegal user admin from 211.241.101.137 Aug 9 09:34:04 newman sshd[9354]: Illegal user user from 211.241.101.137 Aug 9 09:34:13 newman sshd[9362]: Illegal user test from 211.241.101.137 Aug 9 15:54:37 newman sshd[11782]: Illegal user test from 80.64.104.66 Aug 9 15:54:39 newman sshd[11784]: Illegal user guest from 80.64.104.66 Aug 9 15:54:41 newman sshd[11786]: Illegal user admin from 80.64.104.66 Aug 9 15:54:43 newman sshd[11788]: Illegal user admin from 80.64.104.66 Aug 9 15:54:44 newman sshd[11790]: Illegal user user from 80.64.104.66 Aug 9 15:54:51 newman sshd[11798]: Illegal user test from 80.64.104.66 Aug 10 12:24:14 newman sshd[1392]: Illegal user test from 200.155.22.22 Aug 10 12:32:33 newman sshd[11361]: Illegal user test from 200.155.22.22 Aug 10 12:32:35 newman sshd[11364]: Illegal user guest from 200.155.22.22 Aug 10 12:32:37 newman sshd[11370]: Illegal user admin from 200.155.22.22 Aug 10 12:32:40 newman sshd[11372]: Illegal user admin from 200.155.22.22 Aug 10 12:32:42 newman sshd[11375]: Illegal user user from 200.155.22.22 Aug 10 12:32:51 newman sshd[11399]: Illegal user test from 200.155.22.22 Aug 10 20:22:59 newman sshd[1808]: Illegal user test from 63.251.144.88 Aug 16 04:41:53 newman sshd[31175]: Illegal user test from 210.223.178.180 Aug 16 04:41:54 newman sshd[31177]: Illegal user guest from 210.223.178.180 Aug 16 04:41:56 newman sshd[31179]: Illegal user admin from 210.223.178.180 Aug 16 04:41:58 newman sshd[31181]: Illegal user admin from 210.223.178.180 Aug 16 04:42:00 newman sshd[31183]: Illegal user user from 210.223.178.180 Aug 16 04:42:08 newman sshd[31191]: Illegal user test from 210.223.178.180 Aug 17 01:28:42 newman sshd[1507]: Illegal user test from 64.62.182.146 Aug 17 01:28:42 newman sshd[1509]: Illegal user guest from 64.62.182.146 Aug 17 01:28:43 newman sshd[1511]: Illegal user admin from 64.62.182.146 Aug 17 01:28:44 newman sshd[1513]: Illegal user admin from 64.62.182.146 Aug 17 01:28:45 newman sshd[1515]: Illegal user user from 64.62.182.146 Aug 17 01:28:48 newman sshd[1523]: Illegal user test from 64.62.182.146 On Friday 13 August 2004 09:05 am, Sandor Berta wrote: > Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from > 165.21.103.20 port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from > 165.21.103.20 port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from > 165.21.103.20 port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > What are these? > > bye > Sandor Berta > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"