[NBLUG/talk] Am I under attack?
Roger House
rhouse at sonic.net
Wed Jan 28 14:01:26 PST 2015
By chance I noticed that the file .xsession-errors.old in my home directory
(I'm running Ubuntu 12.04) was more than a gigabyte in size. A few
grep's on
the file produced lines like these
28/01/2015 06:27:07 AM rfbAuthPasswordChecked: password check failed
debconf: DbDriver "passwords" warning: could not open
/var/cache/debconf/passwords.dat: Permission denied
There were other ominous looking messages which I can't reproduce at the
moment because apparently each time my system comes up, the current
.xsession-errors.old is deleted, .xsession-errors is renamed to
.xsession-errors.old,
and a new .xsession-errors is started. Anyway, there were thousands of
lines
like the two above, plus others.
Actually, now that I have brought my system up again, here is a sample
of what appears
in .xsession-errors almost immediately:
** (vino-server:2183): WARNING **: Deferring authentication of
'74.208.225.179' for 5 seconds
** (vino-server:2183): WARNING **: VNC authentication failure from
'74.208.225.179'
28/01/2015 06:03:14 AM rfbAuthPasswordChecked: password check failed
28/01/2015 06:03:53 AM [IPv4] Got connection from client
static-164-148-4-96.hardin.tn.ena.net
28/01/2015 06:03:53 AM other clients:
28/01/2015 06:03:53 AM 74.208.225.179
28/01/2015 06:03:53 AM Client Protocol Version 3.3
Do these indicate attempts to break into my system?
A recent change to my system: Last week I installed apache in order to
do local web
development. Can this have led to the above messages? I am new to
apache so I'm
wondering if there are config files which I need to edit to prevent
successful attacks.
Any info will be appreciated.
Roger House
More information about the talk
mailing list