So I went on a trip out of town for a job interview the other day. I turned SSH on and took my laptop, incase I needed some file from the home computer or something. Taking a look at the logs after I get home, I find these:

Oct 19 17:52:13 myip sshd[13672]: Did not receive identification string from 211.91.16.88
Oct 19 17:56:22 myip sshd[13703]: Illegal user patrick from 211.91.16.88
Oct 19 17:56:24 myip sshd[13705]: Illegal user patrick from 211.91.16.88
Oct 19 17:56:39 myip sshd[13717]: Illegal user rolo from 211.91.16.88
Oct 19 17:56:41 myip sshd[13719]: Illegal user iceuser from 211.91.16.88
Oct 19 17:56:44 myip sshd[13721]: Illegal user horde from 211.91.16.88
Oct 19 17:56:51 myip sshd[13727]: Illegal user wwwrun from 211.91.16.88
Oct 19 17:56:53 myip sshd[13729]: Illegal user matt from 211.91.16.88
(snipped a bunch of other tries with dumb user names)
Oct 20 23:53:32 myip sshd[21528]: Illegal user patrick from 80.55.81.122
Oct 20 23:53:37 myip sshd[21530]: Illegal user patrick from 80.55.81.122
Oct 20 23:53:56 myip sshd[21542]: Illegal user rolo from 80.55.81.122
Oct 20 23:54:01 myip sshd[21544]: Illegal user iceuser from 80.55.81.122
Oct 20 23:54:06 myip sshd[21546]: Illegal user horde from 80.55.81.122
Oct 20 23:54:25 myip sshd[21552]: Illegal user wwwrun from 80.55.81.122
Oct 20 23:54:28 myip sshd[21554]: Illegal user matt from 80.55.81.122
(snipped a bunch more tries with the same dumb user names)

Taking a closer look, I see:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Insufficient responses for TCP sequencing (2), OS detection may be less accurate
Interesting ports on  (211.91.16.88):
(The 1585 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                    
22/tcp     open        ssh                    
23/tcp     open        telnet                  
111/tcp    open        sunrpc                  
135/tcp    filtered    loc-srv                
136/tcp    filtered    profile                
137/tcp    filtered    netbios-ns              
138/tcp    filtered    netbios-dgm            
139/tcp    filtered    netbios-ssn            
445/tcp    filtered    microsoft-ds            
593/tcp    filtered    http-rpc-epmap          
1434/tcp   filtered    ms-sql-m                
1521/tcp   open        oracle                  
1720/tcp   filtered    H.323/Q.931            
6000/tcp   open        X11                    
27374/tcp  filtered    subseven                
Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4 on Alpha, Linux Kernel 2.4.3 SMP (RedHat)
Nmap run completed -- 1 IP address (1 host up) scanned in 72 seconds

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on sd122.internetdsl.tpnet.pl (80.55.81.122):
(The 1598 ports scanned but not shown below are in state: filtered)
Port       State       Service
22/tcp     open        ssh                    
80/tcp     open        http                    
3306/tcp   open        mysql                  
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 1.282 days (since Thu Oct 21 13:27:55 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 319 seconds

What really seems strange is the repeated use of the same odd user names. They could at least try root - it still wouldn't work on my computer, but it's at least a user, and they'd be root if they succeeded. Is there some kind of programs that tries these name or something?

how do you "check the logs"?

Now, I'm pretty damn computer literate, but I have no idea what you just said other than that there were some fucktards messing with your computer.

Quoted: Quoted: how do you "check the logs"? /var/log/

Try to explain it like you were instructing a 5 year old, I don't understand

Quoted: Quoted: Quoted: how do you "check the logs"? /var/log/ Try to explain it like you were instructing a 5 year old, I don't understand

This would nice also.

On unix systems, various system logfiles are usually kept in the directory /var/log

/var - named so because the size varies constanty, IIRC.

/log - 'cause there be logs there.

Like C:\temp\logs or something, except that it makes more sense.

If you don't have the penguin running in your computer, it is all geek to you.

Quoted: If you don't have the penguin running in your computer, it is all geek to you.

The penguin running in your computer? sounds like some weird methaphor for doing drugs

Would someone kindly translate that into english?

Quoted: Would someone kindly translate that into english?

(see above for what /var/log is)

"SSH" is a 'secure shell' - you get a command prompt (like C:\>)over an encrypted connection to a server. Lets you do whatever on your server, remotely.

He was looking at system logs, and saw a bunch of failed login attempts. It's odd that they didn't try logging in as 'root' - root is the master login with full permissions on a *nix system. Like the 'administrator' login on a Windows box. You get that, you get everything.

I havent used *nix in a few years. Geeks, please correct any errors.

I have also had a few tonight.

unix  linux operating system mascot

http://www.infoplex.com/unix/images/penguin2-150.jpg

He is running Unix and or Linux which is an Operating System like Windows is. Unix is used more by IT guys or uber computer nerds. It has a Graphical User Interface but most Unix users dont use it. They use a shell much liek DOS is for windows. Now he is refering to log files that Unix creates and maintains. In the particular log file he was looking at it keeps tabs on external attempts made to gain control or access to his machine. If they were able to gain root access to his system they would have FULL control. Root access is like the Administrator password for a windows PC.

I hope this has help the not so nerdy type understand what mace was talking about.

Quoted: Quoted: Would someone kindly translate that into english? (see above for what /var/log is) "SSH" is a 'secure shell' - you get a command prompt (like C:\>)over an encrypted connection to a server. Lets you do whatever on your server, remotely. He was looking at system logs, and saw a bunch of failed login attempts. It's odd that they didn't try logging in as 'root' - root is the master login with full permissions on a *nix system. Like the 'administrator' login on a Windows box. You get that, you get everything. I havent used *nix in a few years. Geeks, please correct any errors. I have also had a few tonight.

Pretty much. Plus, there's no way to know what other users there are on the system. root is always the superuser on any *nix system, but there's no way to know what the usernames of the normal users with admin privileges are. So trying random usernames is pretty dumb, because there's no way to know whether that user exists at all.

penguin = Linux

Quoted: penguin = Linux

oops, thought it was unix.

Quoted: penguin = Linux

Hello

If they kept trying the same username, and not 'root' or a sendmail crack or the like, it's probably just some luser with the wrong IP address wondering why he can't get into his box.

Sounds like a remote FTP connection to me

Can you track who did it from the ID numbers?

lol... IP

I like to get into box.

Okay, who has pinged the offender's address, tracrt, then tried to connect to HIS ftp, http, or SMTP ports?

Quoted: Can you track who did it from the ID numbers?

Sorta. That's the second part of the original messages. I ran nmap (a program that scans people's computer over the internet) on their IP addresses. Both of them have several services open on their computers. The guy with http (web access) open has it showing the test page from a fresh install. The guy with ftp on is allowing anonymous access. I'm guessing these people have a mostly stock install of some Linux variant (having never bothered to check what services are running and set their firewalls) and are trying out some hacking program. Or someone else hacked those computers and is using them to hack other computers, but if that's the case, I'd expect their attempts at hacking my computer to look a little more competent (trying to login as root, for example).