Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Brian <ad44@cityscape.co.uk>
Date: Thu, 8 Jan 2015 20:02:07 +0000
Message-id: <[🔎] 08012015195405.2b1dd99f992f@desktop.copernicus.demon.co.uk>
In-reply-to: <[🔎] 20150108205345.GA4732@fever.havannah.local>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] CAAr43iPRs62MTvuru055NpjBf4qN-VFeY3Sh85=wpRTg5sudhg@mail.gmail.com> <[🔎] 20150108205345.GA4732@fever.havannah.local>

On Thu 08 Jan 2015 at 22:53:45 +0200, Danny wrote:

> However, as soon as my network was up and running I got attacked ...
> here is an excerpt of one of the fail2ban mails ...
> 
> ###################################################################################################
> The IP 204.12.241.227 has just been banned by Fail2Ban after
> 3 attempts against ssh.
> 
> Jan  8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22
> Jan  8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227
> Jan  8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 
> Jan  8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2
> Jan  8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth]
> Jan  8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22
> Jan  8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227
> Jan  8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 
> Jan  8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2
> ###################################################################################################
> 
> What is interesting to me is the user in the above excerpt "zhangyan" ...
> By using a username that is unfamiliar to the western world tells me that
> whatever is on my system had to respond to this username otherwise why would
> this guy use a username that only he is familiar with ... Other usernames that
> were used: 3D, ssht and ftfl ... Also, attempts were made from China, Hong Kong,
> Belgium and Canada ...

You have completely failed to understand what fail2ban is telling you.

> Anyway, I have decided to get new hardware and do a clean install of everything
> ... as many of you have suggested ...

It was heading that way so it is probably best for you.

> However, as I fly a lot internationally, is there a way I can temporarily block
> these country's IP's for a few days at most untill I have enough time on
> hand to do a fresh install ...

What has flying got to do with it?

> Currently my iptables looks like this ...

If you have resorted to using iptables you have lost it. A standard
Debian install doesn't need it.

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>
- Re: Have I been hacked?
  - From: Danny <mynixmail@gmail.com>

Prev by Date: Re: Have I been hacked?
Next by Date: Re: remove me from this list
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread