I'm sitting here surfing the net. My dsl modem is right next to me. I
happened to see traffic going through when there shouldn't have been.
I did a "netstat -ta" to see if anything on my box was connecting to the
net. What I found was much worse. I saw an ssh connection from my box to
an ip address I have never seen.
Here's what I found in /var/log/messages.
Oct 17 21:40:33 tower1 sshd[31174]: Failed password for test from
218.21.78.22 port 3716 ssh2
Oct 17 21:40:38 tower1 sshd[31176]: Illegal user guest from 218.21.78.22
Oct 17 21:40:38 tower1 sshd[31176]: Failed password for illegal user
guest from 218.21.78.22 port 3941 ssh2
Oct 17 21:40:44 tower1 sshd[31178]: Illegal user admin from 218.21.78.22
Oct 17 21:40:44 tower1 sshd[31178]: Failed password for illegal user
admin from 218.21.78.22 port 4217 ssh2
Oct 17 21:40:49 tower1 sshd[31180]: Illegal user admin from 218.21.78.22
Oct 17 21:40:49 tower1 sshd[31180]: Failed password for illegal user
admin from 218.21.78.22 port 4442 ssh2
Oct 17 21:40:54 tower1 sshd[31182]: Illegal user user from 218.21.78.22
Oct 17 21:40:54 tower1 sshd[31182]: Failed password for illegal user
user from 218.21.78.22 port 4728 ssh2
Oct 17 21:41:00 tower1 sshd[31184]: Failed password for root from
218.21.78.22 port 4993 ssh2
Oct 17 21:41:05 tower1 sshd[31186]: Failed password for root from
218.21.78.22 port 1322 ssh2
Oct 17 21:41:11 tower1 sshd[31188]: Failed password for root from
218.21.78.22 port 1602 ssh2
Oct 17 21:41:19 tower1 sshd[31190]: Failed password for test from
218.21.78.22 port 1917 ssh2
Oct 17 21:51:12 tower1 su(pam_unix)[31349]: session opened for user root
by (uid=1002)
It turns out that the ip is from some isp in china. Here's the whois
info.
inetnum: 218.21.64.0 - 218.21.127.255
netname: CHINANET-GX
descr: CHINANET Guangxi province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CR766-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-GX
changed: hostmaster@ns.chinanet.cn.net 20010731
status: ALLOCATED NON-PORTABLE
source: APNIC
role: CHINANET GUANGXI
address: No.35,Minzhu Road,Nanning 530015
country: CN
phone: +86-771-2815987
fax-no: +86-771-2839278
e-mail: hostmaster@gx163.net
trouble: send spam reports to hostmaster@gx163.net
trouble: send abuse reports to hostmaster@gx163.net
trouble: times in GMT+8
admin-c: CR76-AP
tech-c: BD37-AP
nic-hdl: CR766-AP
remarks: http://www.gx.cninfo.net
notify: hostmaster@gx163.net
mnt-by: MAINT-CHINANET-GX
changed: hostmaster@gx163.net 20021024
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-58501144
e-mail: hostmaster@ns.chinanet.cn.net
e-mail: anti-spam@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20021016
remarks: hostmaster is not for spam complaint,please send spam
complaint to anti-spam@ns.chinanet.cn.net
source: APNIC
-- Damien Hull <dhull@digitaloverload.net> --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Sun Oct 17 22:02:23 2004
This archive was generated by hypermail 2.1.8 : Sun Oct 17 2004 - 22:02:23 AKDT