Re: Have I been hacked?
On Thu 08 Jan 2015 at 22:53:45 +0200, Danny wrote:
> However, as soon as my network was up and running I got attacked ...
> here is an excerpt of one of the fail2ban mails ...
>
> ###################################################################################################
> The IP 204.12.241.227 has just been banned by Fail2Ban after
> 3 attempts against ssh.
>
> Jan 8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22
> Jan 8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227
> Jan 8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227
> Jan 8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2
> Jan 8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth]
> Jan 8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22
> Jan 8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227
> Jan 8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227
> Jan 8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2
> ###################################################################################################
>
> What is interesting to me is the user in the above excerpt "zhangyan" ...
> By using a username that is unfamiliar to the western world tells me that
> whatever is on my system had to respond to this username otherwise why would
> this guy use a username that only he is familiar with ... Other usernames that
> were used: 3D, ssht and ftfl ... Also, attempts were made from China, Hong Kong,
> Belgium and Canada ...
You have completely failed to understand what fail2ban is telling you.
> Anyway, I have decided to get new hardware and do a clean install of everything
> ... as many of you have suggested ...
It was heading that way so it is probably best for you.
> However, as I fly a lot internationally, is there a way I can temporarily block
> these country's IP's for a few days at most untill I have enough time on
> hand to do a fresh install ...
What has flying got to do with it?
> Currently my iptables looks like this ...
If you have resorted to using iptables you have lost it. A standard
Debian install doesn't need it.
Reply to: