On Thu, 19 Mar 2009 10:43:13 -0500
Paul Hartman <paul.hartman+gen...@gmail.com> wrote:
> On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
> <johan.bluecr...@gmail.com> wrote:
> > I've always had usernames when it comes to sshd's log entries in
> > auth.log, like the following:
> >
> > <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
> > <username> from <ip-adress>
>
> Well, I don't use PAM, just key-based authentication only, so I always
> see only the IP getting rejected since it doesn't even give them a
> place to try a user/password :) It's just weird that it is refusing a
> connection from u...@domain rather than simply the IP. I guess they
> could be trying to ssh u...@myhost.net or something. The one with
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
> interesting. I wonder what that's all about.
>
My $.02:
perl -MMIME::Base64 -e 'print
decode_base64("U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=")'
Salted__`�f�T�,BI~���!2
:'����9
I'm not expert, so Google led me to OpenSSL's command-line "enc" utility:
echo "U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=" | openssl enc -d -base64 -a
-idea
enter idea-cbc decryption password:
... or like that. Seems like an attempt to send user and password together.
I suppose if you know what are possible user/pass combos on your system, and
can suss the crypt type from the signature (I've no idea if possible), you can
see if it's a real hack attempt.
It is interesting, I think... but I'm just guessing. ;-)
Cheers,
--
|\ /| | | ~ ~
| \/ | |---| `|` ?
| |ichael | |iggins \^ /
michael.higgins[at]evolone[dot]org
