Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Invalid Login Attemps

Featured Replies

I just installed the Common Problems plugin and was alerted to a "possible hack attempt". I checked my logs and saw many entries similar to what follows.

 

For clarity, the only port I have forwarded is one port to my qbittorrent docker and the server is not in the dmz. It appears that all of the connection attempts are from my own router. I am concerned if this is the case that my router was compromised. I did not have remote administration setup on the router's gui except for access through Netgear's app with their account through their cloud service. I use a long, randomly generated password for that account. I factory reset my router once I noticed this situation but in my haste did not check to see if any logs were available that could indicate a breach.

 

The entirety of the logs happened within about one minute. Also of note is that I was installing a new hard drive that day so my server was rebooted and I do not have logs from before this. 

 

Can anyone help me understand these log entries? 

 

Jul 17 18:12:10 Morioh sshd[9019]: Failed none for invalid user  from 192.168.1.1 port 60484 ssh2
Jul 17 18:12:10 Morioh sshd[9024]: Invalid user 666666 from 192.168.1.1 port 60485
Jul 17 18:12:10 Morioh sshd[9024]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9024]: Failed none for invalid user 666666 from 192.168.1.1 port 60485 ssh2
Jul 17 18:12:10 Morioh sshd[9019]: Failed password for invalid user  from 192.168.1.1 port 60484 ssh2
Jul 17 18:12:10 Morioh sshd[9024]: Failed password for invalid user 666666 from 192.168.1.1 port 60485 ssh2
Jul 17 18:12:10 Morioh sshd[9033]: Failed password for root from 192.168.1.1 port 60487 ssh2
Jul 17 18:12:10 Morioh sshd[9037]: Failed password for root from 192.168.1.1 port 60488 ssh2
Jul 17 18:12:10 Morioh sshd[9017]: Connection closed by invalid user  192.168.1.1 port 60483 [preauth]
Jul 17 18:12:10 Morioh sshd[9019]: Connection closed by invalid user  192.168.1.1 port 60484 [preauth]
Jul 17 18:12:10 Morioh sshd[9024]: Connection closed by invalid user 666666 192.168.1.1 port 60485 [preauth]
Jul 17 18:12:10 Morioh sshd[9033]: Connection closed by authenticating user root 192.168.1.1 port 60487 [preauth]
Jul 17 18:12:10 Morioh sshd[9037]: Connection closed by authenticating user root 192.168.1.1 port 60488 [preauth]
Jul 17 18:12:10 Morioh sshd[9141]: Invalid user ubnt from 192.168.1.1 port 60490
Jul 17 18:12:10 Morioh sshd[9141]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9141]: Failed none for invalid user ubnt from 192.168.1.1 port 60490 ssh2
Jul 17 18:12:10 Morioh sshd[9162]: Invalid user  from 192.168.1.1 port 60492
Jul 17 18:12:10 Morioh sshd[9141]: Failed password for invalid user ubnt from 192.168.1.1 port 60490 ssh2
Jul 17 18:12:10 Morioh sshd[9162]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9162]: Failed none for invalid user  from 192.168.1.1 port 60492 ssh2
Jul 17 18:12:10 Morioh sshd[9162]: Failed password for invalid user  from 192.168.1.1 port 60492 ssh2
Jul 17 18:12:10 Morioh sshd[9168]: Invalid user 888888 from 192.168.1.1 port 60494
Jul 17 18:12:10 Morioh sshd[9168]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9159]: Invalid user  from 192.168.1.1 port 60491
Jul 17 18:12:10 Morioh sshd[9159]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9168]: Failed none for invalid user 888888 from 192.168.1.1 port 60494 ssh2
Jul 17 18:12:10 Morioh sshd[9159]: Failed none for invalid user  from 192.168.1.1 port 60491 ssh2
Jul 17 18:12:10 Morioh sshd[9168]: Failed password for invalid user 888888 from 192.168.1.1 port 60494 ssh2
Jul 17 18:12:10 Morioh sshd[9159]: Failed password for invalid user  from 192.168.1.1 port 60491 ssh2
Jul 17 18:12:10 Morioh sshd[9167]: Invalid user  from 192.168.1.1 port 60493
Jul 17 18:12:10 Morioh sshd[9167]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9167]: Failed none for invalid user  from 192.168.1.1 port 60493 ssh2
Jul 17 18:12:10 Morioh sshd[9167]: Failed password for invalid user  from 192.168.1.1 port 60493 ssh2
Jul 17 18:12:10 Morioh sshd[9141]: Connection closed by invalid user ubnt 192.168.1.1 port 60490 [preauth]
Jul 17 18:12:10 Morioh sshd[9159]: Connection closed by invalid user  192.168.1.1 port 60491 [preauth]
Jul 17 18:12:10 Morioh sshd[9167]: Connection closed by invalid user  192.168.1.1 port 60493 [preauth]
Jul 17 18:12:10 Morioh sshd[9162]: Connection closed by invalid user  192.168.1.1 port 60492 [preauth]
Jul 17 18:12:10 Morioh sshd[9168]: Connection closed by invalid user 888888 192.168.1.1 port 60494 [preauth]
Jul 17 18:12:10 Morioh in.telnetd[9308]: connect from 192.168.1.1 (192.168.1.1)
Jul 17 18:12:11 Morioh sshd[9303]: Invalid user admin from 192.168.1.1 port 60497
Jul 17 18:12:11 Morioh sshd[9303]: error: Could not get shadow information for NOUSER
Jul 17 18:12:11 Morioh sshd[9303]: Failed none for invalid user admin from 192.168.1.1 port 60497 ssh2
Jul 17 18:12:11 Morioh sshd[9303]: Failed password for invalid user admin from 192.168.1.1 port 60497 ssh2
Jul 17 18:12:11 Morioh sshd[9298]: Failed password for root from 192.168.1.1 port 60495 ssh2
Jul 17 18:12:11 Morioh sshd[9302]: Failed password for root from 192.168.1.1 port 60496 ssh2
Jul 17 18:12:11 Morioh in.telnetd[9390]: connect from 192.168.1.1 (192.168.1.1)
Jul 17 18:12:11 Morioh sshd[9298]: Connection closed by authenticating user root 192.168.1.1 port 60495 [preauth]
Jul 17 18:12:11 Morioh sshd[9302]: Connection closed by authenticating user root 192.168.1.1 port 60496 [preauth]
Jul 17 18:12:11 Morioh sshd[9303]: Connection closed by invalid user admin 192.168.1.1 port 60497 [preauth]
Jul 17 18:12:11 Morioh sshd[9418]: Invalid user  from 192.168.1.1 port 60501
Jul 17 18:12:11 Morioh sshd[9418]: error: Could not get shadow information for NOUSER
Jul 17 18:12:11 Morioh sshd[9418]: Failed none for invalid user  from 192.168.1.1 port 60501 ssh2
Jul 17 18:12:11 Morioh in.telnetd[9438]: connect from 192.168.1.1 (192.168.1.1)
Jul 17 18:12:11 Morioh sshd[9416]: Invalid user  from 192.168.1.1 port 60500
Jul 17 18:12:11 Morioh sshd[9416]: error: Could not get shadow information for NOUSER
Jul 17 18:12:11 Morioh sshd[9421]: Invalid user  from 192.168.1.1 port 60502
Jul 17 18:12:11 Morioh sshd[9421]: error: Could not get shadow information for NOUSER
Jul 17 18:12:11 Morioh sshd[9418]: Failed password for invalid user  from 192.168.1.1 port 60501 ssh2
Jul 17 18:12:11 Morioh sshd[9416]: Failed none for invalid user  from 192.168.1.1 port 60500 ssh2
Jul 17 18:12:11 Morioh sshd[9421]: Failed none for invalid user  from 192.168.1.1 port 60502 ssh2
Jul 17 18:12:11 Morioh sshd[9416]: Failed password for invalid user  from 192.168.1.1 port 60500 ssh2
Jul 17 18:12:11 Morioh sshd[9421]: Failed password for invalid user  from 192.168.1.1 port 60502 ssh2
Jul 17 18:12:11 Morioh sshd[9416]: Connection closed by invalid user  192.168.1.1 port 60500 [preauth]
Jul 17 18:12:11 Morioh sshd[9418]: Connection closed by invalid user  192.168.1.1 port 60501 [preauth]
Jul 17 18:12:11 Morioh sshd[9421]: Connection closed by invalid user  192.168.1.1 port 60502 [preauth]

 

Do you have a security suite that could possibly be checking for vulnerable devices on your network? I've seen some reports like that somewhere before.

  • Author
6 minutes ago, jonathanm said:

Do you have a security suite that could possibly be checking for vulnerable devices on your network? I've seen some reports like that somewhere before.

That's an interesting point. I had enabled the trial of Netgear's new Netgear Armor suite that runs from the router itself.

 

https://community.netgear.com/t5/NETGEAR-Armor/Check-your-Smart-Home-Devices-For-Vulnerabilities-with-NETGEAR/td-p/1770404

 

This link backs up your idea. 

  • 2 weeks later...

Did you solve your issue? was Netgear Armor the reason for your log entries?

  • Author

I can't know for sure since I don't have logs from the router. It's the most likely explanation and I'm comfortable with it. That link I posted above shows that Netgear Armor will scan IOT devices on the network for vulnerabilities and this appears to be that exact behavior and the fact that it came from the router's IP makes sense to me.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.