Hack Attempt

Over the weekend I notice several different (likely compromised) computers from China, Russia and South America who attempted a DDOS attack on my home network & servers which can be frustrating enough by itself.

I noticed they also attempted to gain access into my personal linux servers from several different IPs as well but failed according to the logs.

Apr 3 06:41:58 localhost sshd[13237]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=95-37-149-222.dynamic.mts-nn.ru
Apr 3 06:42:01 localhost sshd[13237]: Failed password for invalid user testuser from 95.37.149.222 port 35504 ssh2
Apr 3 06:42:01 localhost sshd[13237]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 06:42:03 localhost sshd[13237]: Failed password for invalid user testuser from 95.37.149.222 port 35504 ssh2
Apr 3 06:42:03 localhost sshd[13237]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 06:42:05 localhost sshd[13237]: Failed password for invalid user testuser from 95.37.149.222 port 35504 ssh2
Apr 3 06:42:05 localhost sshd[13237]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 06:42:06 localhost sshd[13237]: Failed password for invalid user testuser from 95.37.149.222 port 35504 ssh2
Apr 3 06:42:06 localhost sshd[13237]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 06:42:08 localhost sshd[13237]: Failed password for invalid user testuser from 95.37.149.222 port 35504 ssh2
Apr 3 06:42:09 localhost sshd[13237]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 06:42:11 localhost sshd[13237]: Failed password for invalid user testuser from 95.37.149.222 port 35504 ssh2
Apr 3 06:42:11 localhost sshd[13237]: Disconnecting: Too many authentication failures for invalid user testuser from 95.37.149.222 port 35504 ssh2 [preauth]
Apr 3 06:42:11 localhost sshd[13237]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=95-37-149-222.dynamic.mts-nn.ru
Apr 3 07:59:06 localhost sshd[15373]: reverse mapping checking getaddrinfo for host-77-41-104-93.qwerty.ru [77.41.104.93] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 3 07:59:06 localhost sshd[15373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=77.41.104.93 user=root
Apr 3 07:59:08 localhost sshd[15373]: Failed password for root from 77.41.104.93 port 27391 ssh2
Apr 3 07:59:10 localhost sshd[15373]: Failed password for root from 77.41.104.93 port 27391 ssh2
Apr 3 07:59:13 localhost sshd[15373]: Failed password for root from 77.41.104.93 port 27391 ssh2
Apr 3 07:59:15 localhost sshd[15373]: Failed password for root from 77.41.104.93 port 27391 ssh2
Apr 3 07:59:17 localhost sshd[15373]: Failed password for root from 77.41.104.93 port 27391 ssh2
Apr 3 07:59:19 localhost sshd[15373]: Failed password for root from 77.41.104.93 port 27391 ssh2
Apr 3 07:59:19 localhost sshd[15373]: Disconnecting: Too many authentication failures for root from 77.41.104.93 port 27391 ssh2 [preauth]
Apr 3 08:17:05 localhost sshd[15940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dd5760a8f.access.telenet.be
Apr 3 08:17:08 localhost sshd[15940]: Failed password for invalid user bananapi from 213.118.10.143 port 42883 ssh2
Apr 3 08:17:08 localhost sshd[15940]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:17:10 localhost sshd[15940]: Failed password for invalid user bananapi from 213.118.10.143 port 42883 ssh2
Apr 3 08:17:10 localhost sshd[15940]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:17:12 localhost sshd[15940]: Failed password for invalid user bananapi from 213.118.10.143 port 42883 ssh2
Apr 3 08:17:12 localhost sshd[15940]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:17:14 localhost sshd[15940]: Failed password for invalid user bananapi from 213.118.10.143 port 42883 ssh2
Apr 3 08:17:14 localhost sshd[15940]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:17:16 localhost sshd[15940]: Failed password for invalid user bananapi from 213.118.10.143 port 42883 ssh2
Apr 3 08:17:16 localhost sshd[15940]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:17:18 localhost sshd[15940]: Failed password for invalid user bananapi from 213.118.10.143 port 42883 ssh2
Apr 3 08:17:18 localhost sshd[15940]: Disconnecting: Too many authentication failures for invalid user bananapi from 213.118.10.143 port 42883 ssh2 [preauth]
Apr 3 08:21:36 localhost sshd[16105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=186.130.111.209
Apr 3 08:21:37 localhost sshd[16099]: Failed password for root from 186.130.111.209 port 47246 ssh2
Apr 3 08:21:38 localhost sshd[16105]: Failed password for invalid user nuucp from 186.130.111.209 port 47252 ssh2
Apr 3 08:21:38 localhost sshd[16105]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:21:39 localhost sshd[16099]: Failed password for root from 186.130.111.209 port 47246 ssh2
Apr 3 08:21:40 localhost sshd[16105]: Failed password for invalid user nuucp from 186.130.111.209 port 47252 ssh2
Apr 3 08:21:40 localhost sshd[16105]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:21:43 localhost sshd[16105]: Failed password for invalid user nuucp from 186.130.111.209 port 47252 ssh2
Apr 3 08:21:43 localhost sshd[16099]: Failed password for root from 186.130.111.209 port 47246 ssh2
Apr 3 08:21:43 localhost sshd[16105]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:21:45 localhost sshd[16105]: Failed password for invalid user nuucp from 186.130.111.209 port 47252 ssh2
Apr 3 08:21:46 localhost sshd[16105]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:21:47 localhost sshd[16099]: Failed password for root from 186.130.111.209 port 47246 ssh2
Apr 3 08:21:48 localhost sshd[16105]: Failed password for invalid user nuucp from 186.130.111.209 port 47252 ssh2
Apr 3 08:21:48 localhost sshd[16105]: pam_unix(sshd:auth): check pass; user unknown
Apr 3 08:21:50 localhost sshd[16099]: Failed password for root from 186.130.111.209 port 47246 ssh2
Apr 3 08:21:50 localhost sshd[16099]: Disconnecting: Too many authentication failures for root from 186.130.111.209 port 47246 ssh2 [preauth]

The list just goes on and on where they guess usernames and passwords to brute force their way into my systems, the above is only a few attempts I shared.

Bottom line it just looks like some script kiddies were trying to have some fun at my expensive but failed which is great on my part but just makes me that much more aware of potential pitfalls in my network and why it is important to secure them and monitoring them closely.

If you run servers or even have a home network then I suggest you closely monitor yours as well!

Leave a Reply

Your email address will not be published. Required fields are marked *