Trying to be hacked, but no IP adresse to the hacker !

johnny_b · 03-26-2006, 12:17 PM

Hello. Over some days now before I by luck read my logs for some reason noticed that somebody had tried to hack my machine. He had been trying with alot of different usernames, in this case it's "robert" which is not my name

This is his/her try 12:56:30 UTC or 14:56:30 GMT+2, the list with entries like this goes on and on...

asl.log

Code:

[Time 2006.03.26 12:56:30 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user robert.] [Level 3] [UID -2] [GID -2] [Host jb]
[Time 2006.03.26 12:56:30 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host jb]

secure.log

Code:

Mar 26 14:56:30 jb com.apple.SecurityServer: authinternal failed to authenticate user robert.
Mar 26 14:56:30 jb com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.

How is this possible. Been on this now for two days to try and find a IP adresse. But that is the only trace of him. Are there some exploits in 10.4.5 that enables people to hack from localhost or something ?

hayne · 03-26-2006, 12:34 PM

The log messages are referring to 'sshd' which is the server-side component of what is called "Remote Login" in the Sharing preferences.
Do you have "Remote Login" enabled?
If so, you should make sure that you have it configured to be as secure as possible - see the articles on the main macosxhints site about this (search for /etc/sshd_config) and then get used to the fact that you will have lots of attempts to break in via SSH as long as you have it enabled. It is best to enable it only when needed or only for access from certain IP addresses, etc.

johnny_b · 03-26-2006, 01:32 PM

I know what ssh is. That was not the question. The question was why his IP didn't appear. I'm looking into securing it better, but that was not the question

And yes ssh is enabled.

hayne · 03-26-2006, 02:03 PM

Quote:

Originally Posted by johnny_b


	The question was why his IP didn't appear.

I think I recall some threads on these forums discussing why the IP addresses of SSH attempts didn't appear in the logs. I think it is a matter of the logging configuration having changed with Tiger. There's a way to get it to log the IP addresses - look for those other threads. Or maybe it was an article on the main macosxhints site?

johnny_b · 03-26-2006, 03:48 PM

Been searching this forum and Google now. Can't seem to find anything about this.

When I try to login with wrong username and password from one of my other machines it's IP shows up in the logs.

johnny_b · 03-26-2006, 03:53 PM

Think I found it...

http://forums.macosxhints.com/archiv...p/t-39527.html

I'll look more into it after some sleep...

hayne · 03-26-2006, 03:58 PM

Here's at least one relevant thread: http://forums.macosxhints.com/showthread.php?t=39527

[edit] Oh - I see you found it too. [/edit]

ArtemisG3 · 03-28-2006, 04:26 PM

I just looked in my logs and have the same attempts:

robert
james
john
alex
jason
justin
jessica
peter
and on, and on...

voldenuit · 04-01-2006, 01:42 PM

I have never seen this kind of crap in my logs again since I run sshd on a high port.

Some config work, but once it's running, you have an extra layer of security when the next bug in ssh shows up.

And cleaner logs.

Of course, if you have reason to believe that someone is specifically out to get +you+, this is not helpful, but the standard random attacks get completely filtered.

03-26-2006, 12:17 PM	#1
johnny_b Triple-A Player Join Date: Aug 2003 Posts: 59	Trying to be hacked, but no IP adresse to the hacker ! Hello. Over some days now before I by luck read my logs for some reason noticed that somebody had tried to hack my machine. He had been trying with alot of different usernames, in this case it's "robert" which is not my name This is his/her try 12:56:30 UTC or 14:56:30 GMT+2, the list with entries like this goes on and on... asl.log Code: [Time 2006.03.26 12:56:30 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user robert.] [Level 3] [UID -2] [GID -2] [Host jb] [Time 2006.03.26 12:56:30 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host jb] secure.log Code: Mar 26 14:56:30 jb com.apple.SecurityServer: authinternal failed to authenticate user robert. Mar 26 14:56:30 jb com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd. How is this possible. Been on this now for two days to try and find a IP adresse. But that is the only trace of him. Are there some exploits in 10.4.5 that enables people to hack from localhost or something ?

03-26-2006, 12:34 PM	#2
hayne Moderator Join Date: Jan 2002 Location: Montreal Posts: 29,279	The log messages are referring to 'sshd' which is the server-side component of what is called "Remote Login" in the Sharing preferences. Do you have "Remote Login" enabled? If so, you should make sure that you have it configured to be as secure as possible - see the articles on the main macosxhints site about this (search for /etc/sshd_config) and then get used to the fact that you will have lots of attempts to break in via SSH as long as you have it enabled. It is best to enable it only when needed or only for access from certain IP addresses, etc. __________________ hayne.net/macosx.html

03-26-2006, 01:32 PM	#3
johnny_b Triple-A Player Join Date: Aug 2003 Posts: 59	I know what ssh is. That was not the question. The question was why his IP didn't appear. I'm looking into securing it better, but that was not the question And yes ssh is enabled. Last edited by johnny_b; 03-26-2006 at 01:39 PM.

03-26-2006, 03:58 PM	#7
hayne Moderator Join Date: Jan 2002 Location: Montreal Posts: 29,279	Here's at least one relevant thread: http://forums.macosxhints.com/showthread.php?t=39527 [edit] Oh - I see you found it too. [/edit] __________________ hayne.net/macosx.html

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:

03-26-2006, 03:48 PM	#5
johnny_b Triple-A Player Join Date: Aug 2003 Posts: 59	Been searching this forum and Google now. Can't seem to find anything about this. When I try to login with wrong username and password from one of my other machines it's IP shows up in the logs.

03-26-2006, 03:53 PM	#6
johnny_b Triple-A Player Join Date: Aug 2003 Posts: 59	Think I found it... http://forums.macosxhints.com/archiv...p/t-39527.html I'll look more into it after some sleep...

03-28-2006, 04:26 PM	#8
ArtemisG3 Triple-A Player Join Date: Feb 2002 Posts: 147	I just looked in my logs and have the same attempts: robert james john alex jason justin jessica peter and on, and on...

04-01-2006, 01:42 PM	#9
voldenuit Hall of Famer Join Date: Sep 2003 Location: Old Europe Posts: 4,896	I have never seen this kind of crap in my logs again since I run sshd on a high port. Some config work, but once it's running, you have an extra layer of security when the next bug in ssh shows up. And cleaner logs. Of course, if you have reason to believe that someone is specifically out to get +you+, this is not helpful, but the standard random attacks get completely filtered.