I found an interesting entry in the output of the netstat utility while trying to see the actively running services on an Amazon VM running CentOS.
netstat -pant
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN 996/mongod
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1017/nginx
tcp 0 0 0.0.0.0:28017 0.0.0.0:* LISTEN 996/mongod
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 858/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 803/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 952/master
tcp 0 48 10.204.214.243:22 173.203.XXX.XXX:43344 ESTABLISHED 21748/sshd
tcp 0 784 10.204.214.243:22 218.109.6.241:56570 ESTABLISHED 25742/sshd
The IP in the last line clearly isn't one I own. I did a quick IP2Location lookup and it is a Chinese IP address.
I did a Google search to learn more about what this IP is up to from the system logs and came across the 3 commands below.
/var/log/secure:May 22 08:05:00 ip-10-204-214-243 sshd[23745]: input_userauth_request: invalid user server
/var/log/secure:May 22 08:05:00 ip-10-204-214-243 sshd[23745]: Received disconnect from 218.109.6.241: 11: Bye Bye
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23747]: Invalid user share from 218.109.6.241
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23751]: input_userauth_request: invalid user share
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23751]: Received disconnect from 218.109.6.241: 11: Bye Bye
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18376]: Failed password for invalid user test1 from 198.23.229.207 port 44166 ssh2
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: Address 198.23.229.207 maps to host.colocrossing.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: Invalid user test1 from 198.23.229.207
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: pam_unix(sshd:auth): check pass; user unknown
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.23.229.207
/var/log/auth.log:May 22 04:43:11 ejeboo sshd[18378]: Failed password for invalid user test1 from 198.23.229.207 port 44599 ssh2
/var/log/auth.log:May 22 04:43:11 ejeboo sshd[18380]: Address 198.23.229.207 maps to host.colocrossing.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
netstat -pant
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN 996/mongod
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1017/nginx
tcp 0 0 0.0.0.0:28017 0.0.0.0:* LISTEN 996/mongod
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 858/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 803/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 952/master
tcp 0 48 10.204.214.243:22 173.203.XXX.XXX:43344 ESTABLISHED 21748/sshd
tcp 0 784 10.204.214.243:22 218.109.6.241:56570 ESTABLISHED 25742/sshd
The IP in the last line clearly isn't one I own. I did a quick IP2Location lookup and it is a Chinese IP address.
I did a Google search to learn more about what this IP is up to from the system logs and came across the 3 commands below.
grep -ir ssh /var/log/* grep -ir breakin /var/log/* grep -ir security /var/log/*
Running the first command on 2 different servers (CentOS and Ubuntu respectively) revealed loads of automated attempts at breaking into the servers I tried the command on.
/var/log/secure:May 22 08:05:00 ip-10-204-214-243 sshd[23741]: Invalid user server from 218.109.6.241/var/log/secure:May 22 08:05:00 ip-10-204-214-243 sshd[23745]: input_userauth_request: invalid user server
/var/log/secure:May 22 08:05:00 ip-10-204-214-243 sshd[23745]: Received disconnect from 218.109.6.241: 11: Bye Bye
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23747]: Invalid user share from 218.109.6.241
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23751]: input_userauth_request: invalid user share
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23751]: Received disconnect from 218.109.6.241: 11: Bye Bye
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18376]: Failed password for invalid user test1 from 198.23.229.207 port 44166 ssh2
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: Address 198.23.229.207 maps to host.colocrossing.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: Invalid user test1 from 198.23.229.207
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: pam_unix(sshd:auth): check pass; user unknown
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.23.229.207
/var/log/auth.log:May 22 04:43:11 ejeboo sshd[18378]: Failed password for invalid user test1 from 198.23.229.207 port 44599 ssh2
/var/log/auth.log:May 22 04:43:11 ejeboo sshd[18380]: Address 198.23.229.207 maps to host.colocrossing.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
It's a sad world out there :(
