multiple attempts to login via telnet from multiple IP's ... new worm?

From: netnerd (nkavat_private)
Date: Tue Nov 06 2001 - 02:36:31 PST

  • Next message: Drew E. Gilkey: "Corrupted Directories, Intrusions, and Nimda Oh MY"

    small bit from /var/log/messages:
    
    
    Nov  6 19:57:45 blue login[31450]: FAILED LOGIN 3 FROM 193.123.219.X FOR 
    iris, User not known to the underlying authentication module
    Nov  6 19:57:47 blue PAM_pwdb[31450]: check pass; user unknown
    Nov  6 19:57:48 blue login[31450]: FAILED LOGIN SESSION FROM 193.123.219.X 
    FOR gerd, User not known to the underlying authentication module
    Nov  6 19:57:53 blue telnetd[31452]: ttloop: peer died: EOF
    Nov  6 19:57:53 blue inetd[497]: pid 31452: exit status 1
    Nov  6 19:58:01 blue PAM_pwdb[31454]: check pass; user unknown
    Nov  6 19:58:03 blue login[31454]: FAILED LOGIN 1 FROM 
    X.dsl.lsan03.pacbell.net FOR alok, User not known to the underlying 
    authentication module
    Nov  6 19:58:05 blue PAM_pwdb[31454]: check pass; user unknown
    Nov  6 19:58:06 blue login[31454]: FAILED LOGIN 2 FROM 
    X.dsl.lsan03.pacbell.net FOR demo, User not known to the underlying 
    authentication module
    Nov  6 19:58:08 blue PAM_pwdb[31454]: check pass; user unknown
    Nov  6 19:58:09 blue login[31454]: FAILED LOGIN 3 FROM 
    X.dsl.lsan03.pacbell.net FOR isel, User not known to the underlying 
    authentication module
    Nov  6 19:58:11 blue PAM_pwdb[31454]: check pass; user unknown
    Nov  6 19:58:12 blue login[31454]: FAILED LOGIN SESSION FROM 
    X.lsan03.pacbell.net FOR hong, User not known to the underlying 
    authentication module
    Nov  6 19:58:20 blue PAM_pwdb[31456]: check pass; user unknown
    Nov  6 19:58:21 blue login[31456]: FAILED LOGIN 1 FROM X.mw.mediaone.net 
    FOR dawit, User not known to the underlying authentication module
    Nov  6 19:58:23 blue PAM_pwdb[31456]: check pass; user unknown
    Nov  6 19:58:24 blue login[31456]: FAILED LOGIN 2 FROM X.mw.mediaone.net 
    FOR efram, User not known to the underlying authentication module
    Nov  6 19:58:26 blue PAM_pwdb[31456]: check pass; user unknown
    Nov  6 19:58:27 blue login[31456]: FAILED LOGIN 3 FROM X.mw.mediaone.net 
    FOR daffy, User not known to the underlying authentication module
    Nov  6 19:58:30 blue PAM_pwdb[31456]: check pass; user unknown
    Nov  6 19:58:31 blue login[31456]: FAILED LOGIN SESSION FROM 
    X.mw.mediaone.net FOR edsel, User not known to the underlying 
    authentication module
    Nov  6 19:59:00 blue PAM_pwdb[31459]: check pass; user unknown
    Nov  6 19:59:01 blue login[31459]: FAILED LOGIN 1 FROM X.aps.pl FOR craig, 
    User not known to the underlying authentication module
    Nov  6 19:59:07 blue PAM_pwdb[31459]: check pass; user unknown
    Nov  6 19:59:08 blue login[31459]: FAILED LOGIN 2 FROM X.aps.pl FOR darin, 
    User not known to the underlying authentication module
    
    
    login attempts are about 10 mins apart from each site.. might i say, I've 
    probably being hit by about 50-60 different IP's
    of course, I have killed telnetd & am replying on ssh.
    is this a worm/virus? or have i pissed someone off???
    Any suggestions, help, comments welcome.
    Nick
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 17:35:05 PST