Hacked Linode customer?

I manage a Linode for someone else, and based on a finding in one of the daily logwatch reports, I noticed the following in auth.log:

Sep 22 12:09:53 localhost sshd[27408]: Invalid user globus from 97.107.135.77
Sep 22 12:09:53 localhost sshd[27408]: (pam_unix) check pass; user unknown
Sep 22 12:09:53 localhost sshd[27408]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li65-77.members.linode.com
Sep 22 12:09:55 localhost sshd[27408]: Failed password for invalid user globus from 97.107.135.77 port 59198 ssh2
Sep 22 12:11:21 localhost sshd[27410]: Invalid user cadi from 97.107.135.77
Sep 22 12:11:21 localhost sshd[27410]: (pam_unix) check pass; user unknown
Sep 22 12:11:21 localhost sshd[27410]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li65-77.members.linode.com
Sep 22 12:11:22 localhost sshd[27410]: Failed password for invalid user cadi from 97.107.135.77 port 44401 ssh2
Sep 22 12:11:22 localhost sshd[27412]: Invalid user cady from 97.107.135.77
Sep 22 12:11:22 localhost sshd[27412]: (pam_unix) check pass; user unknown
Sep 22 12:11:23 localhost sshd[27412]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li65-77.members.linode.com
Sep 22 12:11:25 localhost sshd[27412]: Failed password for invalid user cady from 97.107.135.77 port 45549 ssh2

To the person who has that IP address: Please check your system for trojans, hackers, etc.

4 Replies

It's highly unlikely that that person will see your post. You should report it to Linode themselves so that they can contact the affected customer and take appropriate action. If you have access to the Linode control panel, you can open a trouble ticket. If not, you can contact [email protected] (I can't find an abuse address, but you might try [email protected] too).

````
[email protected]:~$ whois 97.107.135.77 | grep abuse
RAbuseEmail: abuse@linode.com
OrgAbuseEmail: abuse@linode.com

````

@mwalling:

[email protected]:~$ whois 97.107.135.77 | grep abuse
RAbuseEmail:  [email protected]
OrgAbuseEmail:  [email protected]

I was close to mentioning that but I thought it was a bit obvious. :)

Have a look at fail2ban - scans log for auth failures and automatically blocks the IP address either via iptables or denyhosts.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct