On Wed, Aug 09, 2006 at 05:56:30PM -0600, Stephen Bosch wrote: > Hi: > > I have an OpenBSD 3.8 host. > > My authlog is filling up with strange messages: > > > Aug 9 17:30:27 fw1 sshd[7006]: Connection closed by XX.XX.XX.XX > > Aug 9 17:31:31 fw1 sshd[21487]: Connection closed by XX.XX.XX.XX > > Aug 9 17:32:35 fw1 sshd[339]: Connection closed by XX.XX.XX.XX > > Aug 9 17:33:39 fw1 sshd[1993]: Connection closed by XX.XX.XX.XX > > Aug 9 17:34:39 fw1 sshd[1933]: Connection closed by XX.XX.XX.XX > > Aug 9 17:35:39 fw1 sshd[6756]: Connection closed by XX.XX.XX.XX > > Aug 9 17:36:41 fw1 sshd[26173]: Connection closed by XX.XX.XX.XX > > Aug 9 17:37:48 fw1 sshd[10252]: Connection closed by XX.XX.XX.XX > > Aug 9 17:38:53 fw1 sshd[25829]: Connection closed by XX.XX.XX.XX > > Aug 9 17:39:57 fw1 sshd[3588]: Connection closed by XX.XX.XX.XX > > Aug 9 17:41:02 fw1 sshd[1862]: Connection closed by XX.XX.XX.XX > > Aug 9 17:42:03 fw1 sshd[567]: Connection closed by XX.XX.XX.XX > > Aug 9 17:43:04 fw1 sshd[15959]: Connection closed by XX.XX.XX.XX > > Aug 9 17:44:05 fw1 sshd[24466]: Connection closed by XX.XX.XX.XX > > Aug 9 17:45:06 fw1 sshd[3522]: Connection closed by XX.XX.XX.XX > > Aug 9 17:46:10 fw1 sshd[10462]: Connection closed by XX.XX.XX.XX > > Aug 9 17:47:18 fw1 sshd[21288]: Connection closed by XX.XX.XX.XX > > Aug 9 17:48:24 fw1 sshd[21350]: Connection closed by XX.XX.XX.XX > > The device at XX.XX.XX.XX is running an older OpenBSD. I can't be sure > which version, because it's a stripped-down install and I don't have > uname. (It's running off of a memory filesystem loaded from a compact > flash disk, so installing it is not currently an option -- if anybody > has another suggestion for checking the version of the install, make > yourself heard.) > > This error message appears at approximately one minute intervals in > authlog on 'fw1', irrespective of whether I am logged into 'fw1' or not. > > I should note that this message comes a few days after various devices > with public addresses were flooded with apparently scripted sshd hack > attempts from a variety of addresses. I don't know if it's connected, it > might be a red herring. Part of the reason I noticed these "Connection > closed" messages was because I was cleaning up overflowing logs in the > aftermath, so it might well have been happening before. > > Any ideas what this might be? > > -Stephen- > >
Wow fun :) (the IP is from your mail, don't know if this is the firewall or what and i didn't look at other ips around it.) uran:tobiasu$ nmap -vv -P0 66.18.218.36 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-08-10 10:05 CEST DNS resolution of 1 IPs took 7.02s. Initiating Connect() Scan against dsl-cap-66-18-218-36-cgy.nucleus.com (66.18.218.36) [1680 ports] at 10:05 Discovered open port 53/tcp on 66.18.218.36 Discovered open port 443/tcp on 66.18.218.36 Discovered open port 22/tcp on 66.18.218.36 Connect() Scan Timing: About 9.26% done; ETC: 10:11 (0:04:55 remaining) Increasing send delay for 66.18.218.36 from 0 to 5 due to max_successful_tryno increase to 4 caught SIGINT signal, cleaning up uran:tobiasu$ telnet 66.18.218.36 22 Trying 66.18.218.36... Connected to 66.18.218.36. Escape character is '^]'. SSH-1.99-OpenSSH_3.9 << 3.9 is a bit dated, don't you think (2004)? quit Protocol mismatch. Connection closed by foreign host. uran:tobiasu$ nslookup > server 66.18.218.36 Default server: 66.18.218.36 Address: 66.18.218.36#53 > www.heise.de Server: 66.18.218.36 Address: 66.18.218.36#53 Non-authoritative answer: Name: www.heise.de Address: 193.99.144.85 << nice open nameserver (useful to flood other networks) :) > ^D The log messages may be the result of a trojan that tries to infect other hosts in the network. Tobias
