Logs show lots of user attempts from unknown IP
Posted
by
rodling
on Server Fault
See other posts from Server Fault
or by rodling
Published on 2013-11-08T21:07:13Z
Indexed on
2013/11/08
21:57 UTC
Read the original article
Hit count: 186
amazon-web-services
|Cloud
I lost access to my instance which I host on AWS. Keypairing stopped to work. I detached a volume and attached it to a new instance and what I found in logs was a long list of
Nov 6 20:15:32 domU-12-31-39-01-7E-8A sshd[4925]: Invalid user cyrus from 210.193.52.113
Nov 6 20:15:32 domU-12-31-39-01-7E-8A sshd[4925]: input_userauth_request: invalid user cyrus [preauth]
Nov 6 20:15:33 domU-12-31-39-01-7E-8A sshd[4925]: Received disconnect from 210.193.52.113: 11: Bye Bye [preauth]
Where "cyrus" is changed by hundreds if not thousands of common names and items. What could this be? Brute force attack or something else malicious? I traced IP to Singapore, and I have no connection to Singapore.
May thought is that this was a DoS attack since I lost access and server seemed to stop working. Im not to versed on this, but ideas and solutions for this issue are welcome.
© Server Fault or respective owner