Invalid Login Attemps

rangusT

By rangusT
in Security

Recommended Posts

rangusT Noob

rangusT

Posted
Posted

I just installed the Common Problems plugin and was alerted to a "possible hack attempt". I checked my logs and saw many entries similar to what follows.

 

For clarity, the only port I have forwarded is one port to my qbittorrent docker and the server is not in the dmz. It appears that all of the connection attempts are from my own router. I am concerned if this is the case that my router was compromised. I did not have remote administration setup on the router's gui except for access through Netgear's app with their account through their cloud service. I use a long, randomly generated password for that account. I factory reset my router once I noticed this situation but in my haste did not check to see if any logs were available that could indicate a breach.

 

The entirety of the logs happened within about one minute. Also of note is that I was installing a new hard drive that day so my server was rebooted and I do not have logs from before this. 

 

Can anyone help me understand these log entries? 

  

Jul 17 18:12:10 Morioh sshd[9019]: Failed none for invalid user  from 192.168.1.1 port 60484 ssh2
Jul 17 18:12:10 Morioh sshd[9024]: Invalid user 666666 from 192.168.1.1 port 60485
Jul 17 18:12:10 Morioh sshd[9024]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9024]: Failed none for invalid user 666666 from 192.168.1.1 port 60485 ssh2
Jul 17 18:12:10 Morioh sshd[9019]: Failed password for invalid user  from 192.168.1.1 port 60484 ssh2
Jul 17 18:12:10 Morioh sshd[9024]: Failed password for invalid user 666666 from 192.168.1.1 port 60485 ssh2
Jul 17 18:12:10 Morioh sshd[9033]: Failed password for root from 192.168.1.1 port 60487 ssh2
Jul 17 18:12:10 Morioh sshd[9037]: Failed password for root from 192.168.1.1 port 60488 ssh2
Jul 17 18:12:10 Morioh sshd[9017]: Connection closed by invalid user  192.168.1.1 port 60483 [preauth]
Jul 17 18:12:10 Morioh sshd[9019]: Connection closed by invalid user  192.168.1.1 port 60484 [preauth]
Jul 17 18:12:10 Morioh sshd[9024]: Connection closed by invalid user 666666 192.168.1.1 port 60485 [preauth]
Jul 17 18:12:10 Morioh sshd[9033]: Connection closed by authenticating user root 192.168.1.1 port 60487 [preauth]
Jul 17 18:12:10 Morioh sshd[9037]: Connection closed by authenticating user root 192.168.1.1 port 60488 [preauth]
Jul 17 18:12:10 Morioh sshd[9141]: Invalid user ubnt from 192.168.1.1 port 60490
Jul 17 18:12:10 Morioh sshd[9141]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9141]: Failed none for invalid user ubnt from 192.168.1.1 port 60490 ssh2
Jul 17 18:12:10 Morioh sshd[9162]: Invalid user  from 192.168.1.1 port 60492
Jul 17 18:12:10 Morioh sshd[9141]: Failed password for invalid user ubnt from 192.168.1.1 port 60490 ssh2
Jul 17 18:12:10 Morioh sshd[9162]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9162]: Failed none for invalid user  from 192.168.1.1 port 60492 ssh2
Jul 17 18:12:10 Morioh sshd[9162]: Failed password for invalid user  from 192.168.1.1 port 60492 ssh2
Jul 17 18:12:10 Morioh sshd[9168]: Invalid user 888888 from 192.168.1.1 port 60494
Jul 17 18:12:10 Morioh sshd[9168]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9159]: Invalid user  from 192.168.1.1 port 60491
Jul 17 18:12:10 Morioh sshd[9159]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9168]: Failed none for invalid user 888888 from 192.168.1.1 port 60494 ssh2
Jul 17 18:12:10 Morioh sshd[9159]: Failed none for invalid user  from 192.168.1.1 port 60491 ssh2
Jul 17 18:12:10 Morioh sshd[9168]: Failed password for invalid user 888888 from 192.168.1.1 port 60494 ssh2
Jul 17 18:12:10 Morioh sshd[9159]: Failed password for invalid user  from 192.168.1.1 port 60491 ssh2
Jul 17 18:12:10 Morioh sshd[9167]: Invalid user  from 192.168.1.1 port 60493
Jul 17 18:12:10 Morioh sshd[9167]: error: Could not get shadow information for NOUSER
Jul 17 18:12:10 Morioh sshd[9167]: Failed none for invalid user  from 192.168.1.1 port 60493 ssh2
Jul 17 18:12:10 Morioh sshd[9167]: Failed password for invalid user  from 192.168.1.1 port 60493 ssh2
Jul 17 18:12:10 Morioh sshd[9141]: Connection closed by invalid user ubnt 192.168.1.1 port 60490 [preauth]
Jul 17 18:12:10 Morioh sshd[9159]: Connection closed by invalid user  192.168.1.1 port 60491 [preauth]
Jul 17 18:12:10 Morioh sshd[9167]: Connection closed by invalid user  192.168.1.1 port 60493 [preauth]
Jul 17 18:12:10 Morioh sshd[9162]: Connection closed by invalid user  192.168.1.1 port 60492 [preauth]
Jul 17 18:12:10 Morioh sshd[9168]: Connection closed by invalid user 888888 192.168.1.1 port 60494 [preauth]
Jul 17 18:12:10 Morioh in.telnetd[9308]: connect from 192.168.1.1 (192.168.1.1)
Jul 17 18:12:11 Morioh sshd[9303]: Invalid user admin from 192.168.1.1 port 60497
Jul 17 18:12:11 Morioh sshd[9303]: error: Could not get shadow information for NOUSER
Jul 17 18:12:11 Morioh sshd[9303]: Failed none for invalid user admin from 192.168.1.1 port 60497 ssh2
Jul 17 18:12:11 Morioh sshd[9303]: Failed password for invalid user admin from 192.168.1.1 port 60497 ssh2
Jul 17 18:12:11 Morioh sshd[9298]: Failed password for root from 192.168.1.1 port 60495 ssh2
Jul 17 18:12:11 Morioh sshd[9302]: Failed password for root from 192.168.1.1 port 60496 ssh2
Jul 17 18:12:11 Morioh in.telnetd[9390]: connect from 192.168.1.1 (192.168.1.1)
Jul 17 18:12:11 Morioh sshd[9298]: Connection closed by authenticating user root 192.168.1.1 port 60495 [preauth]
Jul 17 18:12:11 Morioh sshd[9302]: Connection closed by authenticating user root 192.168.1.1 port 60496 [preauth]
Jul 17 18:12:11 Morioh sshd[9303]: Connection closed by invalid user admin 192.168.1.1 port 60497 [preauth]
Jul 17 18:12:11 Morioh sshd[9418]: Invalid user  from 192.168.1.1 port 60501
Jul 17 18:12:11 Morioh sshd[9418]: error: Could not get shadow information for NOUSER
Jul 17 18:12:11 Morioh sshd[9418]: Failed none for invalid user  from 192.168.1.1 port 60501 ssh2
Jul 17 18:12:11 Morioh in.telnetd[9438]: connect from 192.168.1.1 (192.168.1.1)
Jul 17 18:12:11 Morioh sshd[9416]: Invalid user  from 192.168.1.1 port 60500
Jul 17 18:12:11 Morioh sshd[9416]: error: Could not get shadow information for NOUSER
Jul 17 18:12:11 Morioh sshd[9421]: Invalid user  from 192.168.1.1 port 60502
Jul 17 18:12:11 Morioh sshd[9421]: error: Could not get shadow information for NOUSER
Jul 17 18:12:11 Morioh sshd[9418]: Failed password for invalid user  from 192.168.1.1 port 60501 ssh2
Jul 17 18:12:11 Morioh sshd[9416]: Failed none for invalid user  from 192.168.1.1 port 60500 ssh2
Jul 17 18:12:11 Morioh sshd[9421]: Failed none for invalid user  from 192.168.1.1 port 60502 ssh2
Jul 17 18:12:11 Morioh sshd[9416]: Failed password for invalid user  from 192.168.1.1 port 60500 ssh2
Jul 17 18:12:11 Morioh sshd[9421]: Failed password for invalid user  from 192.168.1.1 port 60502 ssh2
Jul 17 18:12:11 Morioh sshd[9416]: Connection closed by invalid user  192.168.1.1 port 60500 [preauth]
Jul 17 18:12:11 Morioh sshd[9418]: Connection closed by invalid user  192.168.1.1 port 60501 [preauth]
Jul 17 18:12:11 Morioh sshd[9421]: Connection closed by invalid user  192.168.1.1 port 60502 [preauth]

 

Link to comment
rangusT Noob

rangusT

Posted
  • Author
Posted
6 minutes ago, jonathanm said:

Do you have a security suite that could possibly be checking for vulnerable devices on your network? I've seen some reports like that somewhere before.

That's an interesting point. I had enabled the trial of Netgear's new Netgear Armor suite that runs from the router itself.

 

https://community.netgear.com/t5/NETGEAR-Armor/Check-your-Smart-Home-Devices-For-Vulnerabilities-with-NETGEAR/td-p/1770404

 

This link backs up your idea. 

Link to comment
  • 2 weeks later...
rangusT Noob

rangusT

Posted
  • Author
Posted

I can't know for sure since I don't have logs from the router. It's the most likely explanation and I'm comfortable with it. That link I posted above shows that Netgear Armor will scan IOT devices on the network for vulnerabilities and this appears to be that exact behavior and the fact that it came from the router's IP makes sense to me.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing