SSH haywire with login attempts - Heartbleed?
https://stackoverflow.com/questions/9388288
-
28-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Recently seen in my (Snow Leopard) Mac Mini's /var/log/secure.log:
Feb 17 06:31:32 mini sshd[37945]: Invalid user charles from 220.248.31.177
Feb 17 06:31:34 mini sshd[37947]: Invalid user charlie from 220.248.31.177
Feb 17 06:31:37 mini sshd[37949]: Invalid user charlotte from 220.248.31.177
Feb 17 06:31:39 mini sshd[37951]: Invalid user chase from 220.248.31.177
Feb 17 06:31:42 mini sshd[37953]: Invalid user cher from 220.248.31.177
Feb 17 06:31:44 mini sshd[37955]: Invalid user chester from 220.248.31.177
Feb 17 06:31:47 mini sshd[37957]: Invalid user chile from 220.248.31.177
Feb 17 06:31:49 mini sshd[37959]: Invalid user chip from 220.248.31.177
There are also a whole bunch of these:
Feb 17 13:55:23 mini sshd[43204]: Invalid user beth from 23.19.81.173
Feb 17 13:55:23 mini sshd[43206]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Feb 17 13:55:23 mini sshd[43204]: error: PAM: authentication error for illegal user beth from 23.19.81.173 via 192.168.0.2
Feb 17 13:55:23 mini sshd[43204]: Failed keyboard-interactive/pam for invalid user beth from 23.19.81.173 port 59508 ssh2
Feb 17 13:55:29 mini sshd[43207]: reverse mapping checking getaddrinfo for 23.19.81.173.rdns.ubiquity.io [23.19.81.173] failed - POSSIBLE BREAK-IN ATTEMPT!
Everything begins around 6 Feb and continues until 20 Feb, when I discovered it and deactivated my router's port 22 forwarding. The attempts come from many ip addresses, China, North America, God knows where else (I didn't check them all), but the ups are always grouped in long sessions as you see here. Megabytes-worth. There doesn't seem to be any indication of a successful login -- I have a non-standard username -- but here's the funny part that has me worried...
I only bothered to check the logs because I couldn't login to a certain second account -- the password had changed. Frustrated, I tried to log in as root, but root password had changed as well. However, the password for my regular user login -- which is always logged in -- hadn't changed.
I fixed the passwords, had to single-user as usual to do root. All else seems to be normal, but the password changes have me worried -- a lot. Has anyone heard of this kind of thing? Any way to know if I was hacked?
Much obliged.
Solution
If your passwords changed on your system without your knowledge -- and you're the only one who has access -- then you likely have already been compromised. Nuke and pave.
