Hacking attempt, or a screwed up, scheduled, setting?

[EvanVanVan]

I've gotten some security failure emails recently about someone trying to log into my FreeNAS server via SSH. The thing is, I don't even have the SSH service enabled on my server.

For Example:

Code:

May 22 07:16:52 freenas sshd[4366]: Invalid user oot from 192.168.1.11
May 22 07:16:52 freenas sshd[4366]: input_userauth_request: invalid user oot [preauth]
May 22 07:16:54 freenas sshd[4366]: Failed password for invalid user oot from 192.168.1.11 port 49670 ssh2

At first I thought my desktop might have had some sort of trojan or something because the attempts are from my desktop's LAN IP, 192.168.1.11. The Ports have been very strange (high) numbers as well, 52480, 52481, 52625, 49670, and 64714. The user names that are tried vary, some of the them exist, some don't, such as "oot."

Out of an abundance of caution I just reformatted my computer. But when I went to make a post in "off-topic" about if anyone thought this was in fact a trojan, I noticed something strange after looking up the security emails in gmail.

When I searched my gmail for the phrase "freenas.local login failures:, " I found I've received 6 emails. The first three were from last year on March 30, 2014, May 23, 2014 and May 24, 2014. The latest three were from this year, but on the same exact dates, March 30, 2015, May 23, 2015 (yesterday) and May 24, 2015 (today). Each corresponding date attempted/failed to login with the same usernames.

Now I'm less sure if it was a virus of some sort, or just a screwed up setting from some place, that's scheduled to do "something" on March 30th, May 23rd and May 24th.

Any ideas?

Thanks

 

[BigDave]

I'm really far from being an expert, that said, I would consider viewing the logs
from your router to see if this came from outside your LAN

 

[jgreco]

The usual explanation is that you were trying to log in as "root" and biffed the "r".

 

[EvanVanVan]

I'm really far from being an expert, that said, I would consider viewing the logs
from your router to see if this came from outside your LAN

Thanks for the suggestion, I'll look into that just to be sure. For what it's worth, my modem/router combo is the one provided by Verizon for FiOS.

The usual explanation is that you were trying to log in as "root" and biffed the "r".

Yeah, that's possible but doesn't explain the dates thing, and I don't remember biffing the "r" or even trying to log in yesterday. And what's with the weird port #s?

Here are the emails I've gotten on the following dates:

On 3/30/2014 and 3/30/2015:

Code:

freenas.local login failures:
Mar 29 15:49:38 freenas sshd[25187]: Failed password for Admin from 192.168.1.11 port 52480 ssh2
Mar 29 15:55:23 freenas sshd[26203]: Failed password for root from 192.168.1.11 port 52581 ssh2
Mar 29 15:55:24 freenas sshd[26203]: Failed password for root from 192.168.1.11 port 52581 ssh2
Mar 29 16:02:12 freenas sshd[29720]: Invalid user EvanVanVan from 192.168.1.11
Mar 29 16:02:12 freenas sshd[29720]: input_userauth_request: invalid user EvanVanVan [preauth]
Mar 29 16:02:15 freenas sshd[29720]: Failed password for invalid user EvanVanVan from 192.168.1.11 port 52625 ssh2
Mar 29 16:02:18 freenas sshd[29720]: Failed password for invalid user EvanVanVan from 192.168.1.11 port 52625 ssh2

On 5/23/2014 and 5/23/2015:

Code:

freenas.local login failures:
May 22 07:16:52 freenas sshd[4366]: Invalid user oot from 192.168.1.11
May 22 07:16:52 freenas sshd[4366]: input_userauth_request: invalid user oot [preauth]
May 22 07:16:54 freenas sshd[4366]: Failed password for invalid user oot from 192.168.1.11 port 49670 ssh2

On 5/24/2014 and 5/24/2015 (I hid the username for this one, idk why, false sense of security?):

Code:

freenas.local login failures:
May 23 19:18:24 freenas sshd[23016]: Invalid user **** from 192.168.1.11
May 23 19:18:24 freenas sshd[23016]: input_userauth_request: invalid user **** [preauth]
May 23 19:18:27 freenas sshd[23016]: Failed password for invalid user **** from 192.168.1.11 port 64714 ssh2
May 23 19:18:43 freenas sshd[23016]: Disconnecting: Too many authentication failures for **** [preauth]

 

[DrKK]

Sir, these are pretty light. And inconsequential. And in my view, at least one of these boxes is you making typos logging in.

Anyone that had their boxes pounded on by h4x0rs knows that you'd have thousands of these, not half a dozen.

I don't think there's any issue. These are LAN IP's, etc.etc.etc., I think this is probably you doing something weird by accident.

And also, the "high port numbers" are normal. The guy doing the connecting (i.e., the "client side") is supposed to be randomly picking a port in the high-numbered range (the so-called "ephemeral ports"). The software does this for you automatically. So typically, when you connect to (say) a web server on port 80, you'll be connecting FROM some ridiculous port like 49112. That's normal.

 

[EvanVanVan]

OK, thanks for the input. I think you're right and it's just something weird configured by accident on my desktop, I'll see in 10 months or so (3/30/2016) if I've fixed/cleared the problem by reformatting.

Also, interesting about the port numbers, I didn't know that's how they worked for the client side. Thanks again.

 

[anodos]

Network monitoring or vulnerability assessment software may initiate ssh sessions.

 

[jgreco]

Network monitoring or vulnerability assessment software may initiate ssh sessions.

Yeah, but you'd think they'd not have fat-fingered "oot" into the code. Then again, PC's...

 

[EvanVanVan]

Yeah, lol this is just my home network, with a couple of desktops, my freenas server, a synology nas, and a few mobile devices on it. I don't have any network monitoring or vulnerability assessment stuff running... that I know of anyway.

 

[EvanVanVan]

Just thinking more about this, does sshd or ssh2 mean anything special? I'm wondering why I got login failures when I had Control Services > SSH set to OFF. Isn't strange that it's even accepting an ssh connection?

The only services I have turned ON are CIFS, S.M.A.R.T., and UPS.

 

[Ericloewe]

sshd should be the SSH server, SSH2 is the current protocol.