Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Bryan O'Shea <bryan05@××××××××.net>
To: Dan Margolis <krispykringle@g.o>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] SSH login attempts and /var/log/wtmp
Date: Mon, 02 Aug 2004 20:21:15
Message-Id: Pine.LNX.4.60.0408021549100.32737@malachi.totalink.net
In Reply to: Re: [gentoo-security] SSH login attempts and /var/log/wtmp by Dan Margolis
1 On Mon, 2 Aug 2004, Dan Margolis wrote:
2
3 > Incorrect login attempts should NOT show up (or at least they don't for
4 > me). This would imply that the user did log in successfully. Do you have
5 > a user by the name of ``test''? Perhaps with it's shell set to
6 > /bin/false so that it cannot log in to a working shell?
7
8 I have no user test in /etc/passwd or /etc/shadow:
9
10 This is a 2004.1 recently installed system
11 w/ latest sync and world updates
12 vanilla 2.4.26 kernel
13
14 last -a | grep test
15 test pts/0 Tue Jul 27 00:45 - 00:45 (00:00) 80.28.219.40
16 test pts/0 Sat Jul 24 17:29 - 17:29 (00:00) 210.143.106.131
17 test pts/0 Sat Jul 24 11:10 - 11:10 (00:00) 61.109.156.5
18 test pts/0 Sun Jul 18 22:08 - 22:08 (00:00) 66.165.234.7
19 test pts/1 Thu Jul 15 09:03 - 09:03 (00:00) mail.schedl-automotive.de
20 test pts/0 Thu Jul 15 08:59 - 08:59 (00:00) mail.schedl-automotive.de
21 test pts/0 Thu Jul 15 08:57 - 08:57 (00:00) mail.schedl-automotive.de
22 test pts/0 Thu Jul 15 08:53 - 08:53 (00:00) mail.schedl-automotive.de
23 test pts/1 Wed Jul 14 12:37 - 12:37 (00:00) host2-140.pool21758.interbusiness.it
24 test pts/0 Tue Jul 13 01:23 - 01:23 (00:00) 216-55-164-10.dedicated.abac.net
25
26 >
27 > Or are you perhaps running an out of date version of OpenSSH (like, a
28 > year out of date)?
29
30 ssh -v
31 OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
32
33 >
34 > Seeing as I've yet to hear of an exploit on a patched system with no
35 > vulnerable users/passwords, I had been assuming there is no 0day exploit
36 > out there to be concerned about. But perhaps you can confirm differently
37 > for us.
38
39 Since these login attempts have appeared I have been monitoring closely
40 and have not experienced anymore attempts.
41
42
43
44 --
45 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] SSH login attempts and /var/log/wtmp Dan Margolis <krispykringle@g.o>
Re: [gentoo-security] SSH login attempts and /var/log/wtmp Dan Margolis <krispykringle@g.o>
Re: [gentoo-security] SSH login attempts and /var/log/wtmp "Matthias F. Brandstetter" <haimat@××××.at>
Report Message
Find on MARC Find on Google Groups