Hack attempt


Recommended Posts

Hi guys,

 

Need some help - fix common problems has notified me of hacking attempts on two different days (roughly a week apart) - 348 attempts on each day. I have a bunch of ports forwarded (letsencrypt, openvpn, plex, organizr etc.) and also a reverse proxy. 22 is closed. 

 

The log for the relevant days is full of similar lines to the below:

Quote

Jan  3 08:38:49 MediaCentre sshd[25296]: Invalid user  from 192.168.101.1 port 46341
Jan  3 08:38:49 MediaCentre sshd[25296]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25296]: Failed none for invalid user  from 192.168.101.1 port 46341 ssh2
Jan  3 08:38:49 MediaCentre sshd[25296]: Failed password for invalid user  from 192.168.101.1 port 46341 ssh2
Jan  3 08:38:49 MediaCentre sshd[25296]: Connection closed by invalid user  192.168.101.1 port 46341 [preauth]
Jan  3 08:38:49 MediaCentre sshd[25300]: Invalid user  from 192.168.101.1 port 46345
Jan  3 08:38:49 MediaCentre sshd[25300]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25300]: Failed none for invalid user  from 192.168.101.1 port 46345 ssh2
Jan  3 08:38:49 MediaCentre sshd[25300]: Failed password for invalid user  from 192.168.101.1 port 46345 ssh2
Jan  3 08:38:49 MediaCentre sshd[25301]: Invalid user  from 192.168.101.1 port 46346
Jan  3 08:38:49 MediaCentre sshd[25301]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25301]: Failed none for invalid user  from 192.168.101.1 port 46346 ssh2
Jan  3 08:38:49 MediaCentre sshd[25299]: Invalid user  from 192.168.101.1 port 46344
Jan  3 08:38:49 MediaCentre sshd[25299]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25302]: Invalid user  from 192.168.101.1 port 46347
Jan  3 08:38:49 MediaCentre sshd[25302]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25301]: Failed password for invalid user  from 192.168.101.1 port 46346 ssh2
Jan  3 08:38:49 MediaCentre sshd[25299]: Failed none for invalid user  from 192.168.101.1 port 46344 ssh2
Jan  3 08:38:49 MediaCentre sshd[25302]: Failed none for invalid user  from 192.168.101.1 port 46347 ssh2
Jan  3 08:38:49 MediaCentre sshd[25299]: Failed password for invalid user  from 192.168.101.1 port 46344 ssh2
Jan  3 08:38:49 MediaCentre sshd[25302]: Failed password for invalid user  from 192.168.101.1 port 46347 ssh2
Jan  3 08:38:49 MediaCentre sshd[25298]: Invalid user  from 192.168.101.1 port 46343
Jan  3 08:38:49 MediaCentre sshd[25298]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25298]: Failed none for invalid user  from 192.168.101.1 port 46343 ssh2
Jan  3 08:38:49 MediaCentre sshd[25298]: Failed password for invalid user  from 192.168.101.1 port 46343 ssh2
Jan  3 08:38:49 MediaCentre sshd[25298]: Connection closed by invalid user  192.168.101.1 port 46343 [preauth]
Jan  3 08:38:49 MediaCentre sshd[25299]: Connection closed by invalid user  192.168.101.1 port 46344 [preauth]
Jan  3 08:38:49 MediaCentre sshd[25300]: Connection closed by invalid user  192.168.101.1 port 46345 [preauth]
Jan  3 08:38:49 MediaCentre sshd[25302]: Connection closed by invalid user  192.168.101.1 port 46347 [preauth]
Jan  3 08:38:49 MediaCentre sshd[25301]: Connection closed by invalid user  192.168.101.1 port 46346 [preauth]
Jan  3 08:38:49 MediaCentre sshd[25312]: Accepted none for root from 192.168.101.1 port 46351 ssh2
Jan  3 08:38:49 MediaCentre sshd[25310]: Invalid user pi from 192.168.101.1 port 46349
Jan  3 08:38:49 MediaCentre sshd[25310]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25310]: Failed none for invalid user pi from 192.168.101.1 port 46349 ssh2
Jan  3 08:38:49 MediaCentre sshd[25310]: Failed password for invalid user pi from 192.168.101.1 port 46349 ssh2
Jan  3 08:38:49 MediaCentre sshd[25308]: Invalid user  from 192.168.101.1 port 46348
Jan  3 08:38:49 MediaCentre sshd[25308]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25308]: Failed none for invalid user  from 192.168.101.1 port 46348 ssh2
Jan  3 08:38:49 MediaCentre sshd[25309]: Invalid user admin from 192.168.101.1 port 46350
Jan  3 08:38:49 MediaCentre sshd[25309]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25315]: Invalid user vagrant from 192.168.101.1 port 46352
Jan  3 08:38:49 MediaCentre sshd[25315]: error: Could not get shadow information for NOUSER
Jan  3 08:38:49 MediaCentre sshd[25309]: Failed none for invalid user admin from 192.168.101.1 port 46350 ssh2
Jan  3 08:38:49 MediaCentre sshd[25315]: Failed none for invalid user vagrant from 192.168.101.1 port 46352 ssh2
Jan  3 08:38:49 MediaCentre sshd[25308]: Failed password for invalid user  from 192.168.101.1 port 46348 ssh2
Jan  3 08:38:49 MediaCentre sshd[25315]: Failed password for invalid user vagrant from 192.168.101.1 port 46352 ssh2
Jan  3 08:38:49 MediaCentre sshd[25309]: Failed password for invalid user admin from 192.168.101.1 port 46350 ssh2
Jan  3 08:38:49 MediaCentre sshd[25308]: Connection closed by invalid user  192.168.101.1 port 46348 [preauth]

 

Somewhat confused as none of these ports are forwarded so unsure how the attempts are even getting through to the unraid box. My router is a Netgear Orbi AC3000 - any ideas / similar experiences?

 

Many thanks!

Link to comment

Not a security kinda guy, but seems to me that since the originating IP address is your (presumably) router at 192.168.101.1, then the user in question first has gained access to your router (hopefully you did change the default password that they ship with), and is now launching attacks from within your router itself.

 

Probably not a good situation to be in.

Link to comment
1 minute ago, jonathanm said:

Ohhh, @Squid's reply just triggered a lightbulb. I think some of these routers have a security package installed that thinks it's helpful to try to break in to everything in your network, then report if it succeeded.

 

Check if your router has that sort of security enabled.

Huh.  Yeah I don't think so.  Having a piece of electronic equipment that is your first line of defense against hackers, that is actually manufactured and programmed in China actively trying to hack my network, and by its very nature also has the ability to transmit its results anywhere in the world.

  • Haha 1
Link to comment
2 minutes ago, jonathanm said:

@Squid, would it be productive to parse the failed logins and if they all originate from the gateway IP, warn that the user may have a router level "security" package that is causing it? Or maybe quantify the number of unique IP's with failed logins? If below arbitrary number X, general internet exposure unlikely?

You can set the number of invalid per day allowed.  (Default is 10)

 

IMO to ignore say an attempt from anything on the local network is a mistake even if its the router, as the originating IP could itself be compromised.

Link to comment

Sounds like a breach, or a Bad port forward. 

As someone else mentioned, sounds like someone is/has run a Shell _ SSH Bruteforcer script from your Router...

Id recommend checking if "External Access" is Disabled and maybe considered a Hard Reset.


I would recommend making sure the Router you are using is not on an known list of Exploits (Current/Working exploits).

Link to comment

192.168.101.1 is indeed my router. Since this I've had two identical episodes again exactly a week apart. I've now disabled ssh entirely on my Unraid box.

 

I also checked and my Orbi already had Netgear's Armor product installed and didn't seem to have identified any of these events. I've seen a couple of other people on the forums with similar problems, but no one seems to have figured out the issue, very confused...

 

In any case I will probably try a hard reset of the router and see if that solves the issue. Thanks for the help so far all.

Link to comment
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.