[SOLVED] Strange output of lastb

paramahamsa · 2009-04-05 05:54:23

As far as I can figure out, lastb claims that many users, including "guest", "test", "testbox", "adam", "jack", "marvin", etc. have logged onto my computer over ssh.
This is certainly worrying, since I have never heard of these people and certainly don't have such user accounts on my computer.

I only created one user account, and that is "rishabh".

The whole output of my lastb can be found here: http://pastebin.com/m6e530c40 (it's 3632 lines long).
Some randomly selected lines are as follows:

friends  ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
Joshua   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
Joshua   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
Joshua   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
Joshua   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
joshua   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
joshua   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
Nicole   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
Nicole   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
Nicole   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
Nicole   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
nicole   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
nicole   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
pascal   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
pascal   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
pascal   ssh:notty    59.10.58.8       Thu Apr  2 20:59 - 20:59  (00:00)    
pascal   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
pascal   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
pascal   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
Dakota   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
Dakota   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
Dakota   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
Dakota   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
dakota   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
dakota   ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
fred     ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
fred     ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
fred     ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
fred     ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
fred     ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
fred     ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
apple    ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
apple    ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
apple    ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
apple    ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
apple    ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
apple    ssh:notty    59.10.58.8       Thu Apr  2 20:58 - 20:58  (00:00)    
buster   ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
buster   ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
buster   ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
buster   ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
buster   ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
buster   ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
ftphome  ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
ftphome  ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
ftphome  ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
ftphome  ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
ftphome  ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
ftphome  ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)    
quincy   ssh:notty    59.10.58.8       Thu Apr  2 20:57 - 20:57  (00:00)

What does this mean?? Does the default wtmp file contain all these names??

Last edited by paramahamsa (2009-04-05 16:56:44)

ataraxia · 2009-04-05 15:23:04

Those are all the names that tried, but FAILED, to log into your machine. All the usual ssh attacks.

If you want to see who actually did log into the machine, use "last" instead.

In my experience, the easiest way to stop the attacks is to change the port sshd listens on to some random big number, and the surest way to make it really secure is to turn off password logins and use keypairs instead.

Zariel · 2009-04-05 16:39:55

I have my ssh server running in a high port for the past 6 months and not even had 1 person attempt to log in, granted its running denyhosts and only login via keypair

paramahamsa · 2009-04-05 16:53:45

ataraxia, Zariel,
Thanks! I didn't know that.
These attacks are by bots, I presume? What do they do, try random names on random IPs?
(edit: by the way, I use denyhosts, too)

Last edited by paramahamsa (2009-04-05 16:59:04)

Arch Linux

#1 2009-04-05 05:54:23

[SOLVED] Strange output of lastb

#2 2009-04-05 15:23:04

Re: [SOLVED] Strange output of lastb

#3 2009-04-05 16:39:55

Re: [SOLVED] Strange output of lastb

#4 2009-04-05 16:53:45

Re: [SOLVED] Strange output of lastb

Board footer