[j-nsp] RE : Strange LOGIN_FAILED message
david.roy at orange-ftgroup.com
david.roy at orange-ftgroup.com
Tue Jul 21 12:35:06 EDT 2009
I think so but I can't see any input TCP sessions by using tcpdump on the box. I will try to put a specific term in my loopback firewall filter to catch the source addresses (if there are) !
thank you
Regards;
David
________________________________
De: Manu Chao [mailto:linux.yahoo at gmail.com]
Date: mar. 21/07/2009 17:20
À: ROY David DTF/DERX
Cc: juniper-nsp at puck.nether.net
Objet : Re: [j-nsp] Strange LOGIN_FAILED message
a bot is trying to access on your box
On Tue, Jul 21, 2009 at 5:10 PM, <david.roy at orange-ftgroup.com> wrote:
Hi all,
I've a lot messages regarding a "user 4" : see after
show log message
Jul 21 16:18:50 myrouter login: LOGIN_PAM_AUTHENTICATION_ERROR: PAM
authentication error for user 4
Jul 21 16:18:50 myrouter login: LOGIN_FAILED: Login failed for user 4
from host
Jul 21 16:24:25 myrouter login: LOGIN_PAM_AUTHENTICATION_ERROR: PAM
authentication error for user 4
Jul 21 16:24:25 myrouter login: LOGIN_FAILED: Login failed for user 4
from host
Jul 21 16:30:00 myrouter login: LOGIN_PAM_AUTHENTICATION_ERROR: PAM
authentication error for user 4
Jul 21 16:30:00 myrouter login: LOGIN_FAILED: Login failed for user 4
from host
Jul 21 16:35:35 myrouter login: LOGIN_PAM_AUTHENTICATION_ERROR: PAM
authentication error for user 4
Jul 21 16:35:35 myrouter login: LOGIN_FAILED: Login failed for user 4
from host
Jul 21 16:41:10 myrouter login: LOGIN_PAM_AUTHENTICATION_ERROR: PAM
authentication error for user 4
Jul 21 16:41:10 myrouter login: LOGIN_FAILED: Login failed for user 4
from host
This message is usually logged when the authentication of a telnet
session failed. But, here I don't have a user named "4". Moreover this
message is periodic : every 5min35s and I don't have information
regarding to the host. Usually we've the IP address :
Jul 21 16:41:10 myrouter login: LOGIN_PAM_AUTHENTICATION_ERROR: PAM
authentication error for user DAVID
Jul 21 16:41:10 myrouter login: LOGIN_FAILED: Login failed for user
DAVID from host 10.10.10.10
I tried to catch the TCP telnet session info, but there is no telnet
session when this message is logged ! So it's seems that it's an
internal process that generates it !
Did you experience this kind of message ?
Thank you
Regards,
David
*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees.
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration.
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees.
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration.
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************
More information about the juniper-nsp
mailing list