I've just noticed that twice a day, something is trying to log in to one of our ClearOS servers via the LAN.
The IP address 192.168.0.47 is that of my own Windows desktop.
The attempts occur between 3 and 4 am, with some random variation introduced. There are usually two attempts, one second apart.
They occur both weekdays and weekends:
> Authentication failure for root via sshd from 192.168.0.47 2018-01-18 16:49:33
> Authentication failure for root via sshd from 192.168.0.47 2018-01-18 16:49:28
> Authentication failure for root via sshd from 192.168.0.47 2018-01-18 03:08:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-18 03:08:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-17 03:38:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-17 03:38:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-16 03:29:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-16 03:29:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-15 03:18:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-15 03:18:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-14 03:24:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-14 03:24:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-13 03:38:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-13 03:38:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-12 03:38:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-12 03:38:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-11 03:18:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-11 03:18:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-10 03:41:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-10 03:41:01
They skipped 1/1, but made up for it by trying 5 times on 1/2, at 11 am instead of 3 am:
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:06:04
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:06:03
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:00:46
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:00:40
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:00:35
> Authentication failure for root via sshd from 192.168.0.47 2017-12-31 03:40:02
> Authentication failure for root via sshd from 192.168.0.47 2017-12-31 03:40:02
This has been going on a long time, and I don't see any evidence it's ever succeeded.
Before I conclude I've got a virus on my Windows PC, has anyone ever seen a pattern like this on their server?
What would be the best way to figure out what application is doing this (on either end)?
In the Log Viewer application, I have looked in the "secure" and "system" logs for "root" and am not finding anything corresponding to these entries, which are reported when I click on the ROOT button at the top right of the screen (where you click to log out).
ClearOS 7 Business
The IP address 192.168.0.47 is that of my own Windows desktop.
The attempts occur between 3 and 4 am, with some random variation introduced. There are usually two attempts, one second apart.
They occur both weekdays and weekends:
> Authentication failure for root via sshd from 192.168.0.47 2018-01-18 16:49:33
> Authentication failure for root via sshd from 192.168.0.47 2018-01-18 16:49:28
> Authentication failure for root via sshd from 192.168.0.47 2018-01-18 03:08:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-18 03:08:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-17 03:38:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-17 03:38:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-16 03:29:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-16 03:29:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-15 03:18:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-15 03:18:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-14 03:24:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-14 03:24:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-13 03:38:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-13 03:38:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-12 03:38:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-12 03:38:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-11 03:18:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-11 03:18:01
> Authentication failure for root via sshd from 192.168.0.47 2018-01-10 03:41:02
> Authentication failure for root via sshd from 192.168.0.47 2018-01-10 03:41:01
They skipped 1/1, but made up for it by trying 5 times on 1/2, at 11 am instead of 3 am:
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:06:04
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:06:03
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:00:46
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:00:40
> Authentication failure for root via sshd from 192.168.0.47 2018-01-02 11:00:35
> Authentication failure for root via sshd from 192.168.0.47 2017-12-31 03:40:02
> Authentication failure for root via sshd from 192.168.0.47 2017-12-31 03:40:02
This has been going on a long time, and I don't see any evidence it's ever succeeded.
Before I conclude I've got a virus on my Windows PC, has anyone ever seen a pattern like this on their server?
What would be the best way to figure out what application is doing this (on either end)?
In the Log Viewer application, I have looked in the "secure" and "system" logs for "root" and am not finding anything corresponding to these entries, which are reported when I click on the ROOT button at the top right of the screen (where you click to log out).
ClearOS 7 Business
Share this post:
Responses (2)
-
Accepted Answer
I'm afraid this rings big alarm bells to me! I'd certainly investigate the LAN machine a lot more. I'm afraid I don't know the Windows tool set to investigate this sort of activity, but at least a full anti-virus scan is called for, and perhaps try some of the online scanners from different AV providers. -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »