| Author |
Message |
NeonNero
Joined: 04 Jan 2005
Posts: 214
Location: Ålesund, Norway
|
| Posted: Thu Sep 24, 2009 9:01 am Post subject: Hacked Linode customer? |
|
|
I manage a Linode for someone else, and based on a finding in one of the daily logwatch reports, I noticed the following in auth.log:
Code: Sep 22 12:09:53 localhost sshd[27408]: Invalid user globus from 97.107.135.77
Sep 22 12:09:53 localhost sshd[27408]: (pam_unix) check pass; user unknown
Sep 22 12:09:53 localhost sshd[27408]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li65-77.members.linode.com
Sep 22 12:09:55 localhost sshd[27408]: Failed password for invalid user globus from 97.107.135.77 port 59198 ssh2
Sep 22 12:11:21 localhost sshd[27410]: Invalid user cadi from 97.107.135.77
Sep 22 12:11:21 localhost sshd[27410]: (pam_unix) check pass; user unknown
Sep 22 12:11:21 localhost sshd[27410]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li65-77.members.linode.com
Sep 22 12:11:22 localhost sshd[27410]: Failed password for invalid user cadi from 97.107.135.77 port 44401 ssh2
Sep 22 12:11:22 localhost sshd[27412]: Invalid user cady from 97.107.135.77
Sep 22 12:11:22 localhost sshd[27412]: (pam_unix) check pass; user unknown
Sep 22 12:11:23 localhost sshd[27412]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li65-77.members.linode.com
Sep 22 12:11:25 localhost sshd[27412]: Failed password for invalid user cady from 97.107.135.77 port 45549 ssh2
To the person who has that IP address: Please check your system for trojans, hackers, etc. |
|
| Back to top |
|
Guspaz
Joined: 26 May 2009
Posts: 1147
Location: Montreal, QC
|
| Posted: Thu Sep 24, 2009 10:06 am Post subject: |
|
|
| It's highly unlikely that that person will see your post. You should report it to Linode themselves so that they can contact the affected customer and take appropriate action. If you have access to the Linode control panel, you can open a trouble ticket. If not, you can contact service@linode.com (I can't find an abuse address, but you might try abuse@linode.com too). |
|
| Back to top |
|
mwalling
Joined: 10 Dec 2007
Posts: 335
|
| Posted: Thu Sep 24, 2009 10:10 am Post subject: |
|
|
Code: mwalling@youtoo:~$ whois 97.107.135.77 | grep abuse
RAbuseEmail: abuse@linode.com
OrgAbuseEmail: abuse@linode.com
|
|
| Back to top |
|
unixfool
Joined: 08 Apr 2004
Posts: 92
Location: VA
|
| Posted: Thu Sep 24, 2009 10:14 am Post subject: |
|
|
mwalling wrote: Code: mwalling@youtoo:~$ whois 97.107.135.77 | grep abuse
RAbuseEmail: abuse@linode.com
OrgAbuseEmail: abuse@linode.com
I was close to mentioning that but I thought it was a bit obvious. :) |
|
| Back to top |
|
redbook
Joined: 02 Oct 2009
Posts: 1
|
| Posted: Fri Oct 02, 2009 6:25 am Post subject: Hacked Linode customer? |
|
|
| Have a look at fail2ban - scans log for auth failures and automatically blocks the IP address either via iptables or denyhosts. |
|
| Back to top |
|
| |
