I got these just now, from OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8. There is no user smw on my system, and there never has been. It doesn't look like there was a compromise. Otherwise, it looks like someone connecting to the wrong IP address, but I have not seen this PAM error before. Has anyone else seen this kind of activity? I am aware of the recent OpenSSH advisory (1:3.0.2p1-8 includes the patch), but this doesn't appear to be related, as the activity is before the (failed) authentication. Mar 7 21:50:22 mizar sshd[15396]: PAM pam_set_item: NULL pam handle passed Mar 7 21:50:22 mizar sshd[15396]: Failed rsa for illegal user smw from 132.205.121.51 port 64707 Mar 7 21:50:22 mizar sshd[15396]: Connection closed by 132.205.121.51 Mar 7 21:50:41 mizar sshd[15397]: PAM pam_set_item: NULL pam handle passed Mar 7 21:50:41 mizar sshd[15397]: Failed rsa for illegal user smw from 132.205.121.51 port 64709 Mar 7 21:50:41 mizar sshd[15397]: Connection closed by 132.205.121.51 Mar 7 21:52:57 mizar sshd[15399]: PAM pam_set_item: NULL pam handle passed Mar 7 21:52:57 mizar sshd[15399]: Failed rsa for illegal user smw from 132.205.121.51 port 64711 Mar 7 21:53:10 mizar sshd[15399]: Connection closed by 132.205.121.51 -- - mdz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 15:26:20 PST