Há um Oracle Linux rodando dentro de um Virtual Box, que está rodando no Windows 11 Home.
Precisa de ajuda para entender:
Há alguma chance de qualquer um dos linux ou , já que isso claramente parece ser um ataque de dicionário de força bruta. Mas, como a questão do IPv6 parece ser a do roteador, pode ser que o sistema subjacente tenha sido hackeado?
Como mitigar essa situação. Qual poderia ser o ponto de entrada - pelo menos maneiras de encontrar um. Se pudesse haver backdoors, como encontrá-los.
Logo após instalar o Oracle Linux, encontro muitas tentativas falhas no usuário root.
caminho do arquivo de log:/var/log/secure
O IP em questão é: fe80::e20e:e4ff:fe26:d5a6
Nov 9 18:26:44 OracleLinux polkitd[1038]: Loading rules from directory /etc/polkit-1/rules.d
Nov 9 18:26:44 OracleLinux polkitd[1038]: Loading rules from directory /usr/share/polkit-1/rules.d
Nov 9 18:26:44 OracleLinux polkitd[1038]: Finished loading, compiling and executing 5 rules
Nov 9 18:26:44 OracleLinux polkitd[1038]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Nov 9 18:26:45 OracleLinux unix_chkpwd[1088]: password check failed for user (root)
Nov 9 18:26:45 OracleLinux sshd[1057]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fe80::e20e:e4ff:fe26:d5a6%enp0s8 user=root
Nov 9 18:26:46 OracleLinux unix_chkpwd[1358]: password check failed for user (root)
Nov 9 18:26:46 OracleLinux sshd[1261]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.1 user=root
Nov 9 18:26:47 OracleLinux sshd[1057]: Failed password for root from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45545 ssh2
Nov 9 18:27:46 OracleLinux sshd[1261]: Failed password for root from 192.168.29.1 port 43718 ssh2
Nov 9 18:27:47 OracleLinux sshd[1057]: Received disconnect from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45545:11: SSH client disconnected [preauth]
Nov 9 18:27:47 OracleLinux sshd[1057]: Disconnected from authenticating user root fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45545 [preauth]
Nov 9 18:27:47 OracleLinux sshd[1579]: Invalid user admin from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45547
Nov 9 18:27:47 OracleLinux sshd[1579]: pam_unix(sshd:auth): check pass; user unknown
Nov 9 18:27:47 OracleLinux sshd[1579]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fe80::e20e:e4ff:fe26:d5a6%enp0s8
Nov 9 18:27:48 OracleLinux sshd[1261]: Received disconnect from 192.168.29.1 port 43718:11: SSH client disconnected [preauth]
Nov 9 18:27:48 OracleLinux sshd[1261]: Disconnected from authenticating user root 192.168.29.1 port 43718 [preauth]
Nov 9 18:27:48 OracleLinux sshd[1584]: Invalid user admin from 192.168.29.1 port 43720
Nov 9 18:27:48 OracleLinux sshd[1584]: pam_unix(sshd:auth): check pass; user unknown
Nov 9 18:27:48 OracleLinux sshd[1584]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.1
Nov 9 18:27:50 OracleLinux sshd[1579]: Failed password for invalid user admin from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45547 ssh2
Nov 9 18:27:51 OracleLinux systemd[1590]: pam_unix(systemd-user:session): session opened for user devoracleuser(uid=1000) by devoracleuser(uid=0)
Nov 9 18:27:51 OracleLinux sshd[1584]: Failed password for invalid user admin from 192.168.29.1 port 43720 ssh2
Nov 9 18:27:51 OracleLinux login[836]: pam_unix(login:session): session opened for user devoracleuser(uid=1000) by devoracleuser(uid=0)
Nov 9 18:27:51 OracleLinux login[836]: LOGIN ON tty1 BY devoracleuser
Nov 9 18:27:51 OracleLinux sshd[1584]: Received disconnect from 192.168.29.1 port 43720:11: SSH client disconnected [preauth]
Nov 9 18:27:51 OracleLinux sshd[1584]: Disconnected from invalid user admin 192.168.29.1 port 43720 [preauth]
Nov 9 18:27:51 OracleLinux unix_chkpwd[1630]: password check failed for user (root)
Nov 9 18:27:51 OracleLinux sshd[1628]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.1 user=root
Nov 9 18:27:53 OracleLinux sshd[1579]: Received disconnect from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45547:11: SSH client disconnected [preauth]
Nov 9 18:27:53 OracleLinux sshd[1579]: Disconnected from invalid user admin fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45547 [preauth]
Nov 9 18:27:53 OracleLinux unix_chkpwd[1633]: password check failed for user (root)
Nov 9 18:27:53 OracleLinux sshd[1631]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fe80::e20e:e4ff:fe26:d5a6%enp0s8 user=root
Nov 9 18:27:54 OracleLinux sshd[1628]: Failed password for root from 192.168.29.1 port 43721 ssh2
Nov 9 18:27:55 OracleLinux sshd[1631]: Failed password for root from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45550 ssh2
Nov 9 18:27:56 OracleLinux sshd[1628]: Received disconnect from 192.168.29.1 port 43721:11: SSH client disconnected [preauth]
Nov 9 18:27:56 OracleLinux sshd[1628]: Disconnected from authenticating user root 192.168.29.1 port 43721 [preauth]
Nov 9 18:27:57 OracleLinux sshd[1631]: Received disconnect from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45550:11: SSH client disconnected [preauth]
Nov 9 18:27:57 OracleLinux sshd[1631]: Disconnected from authenticating user root fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45550 [preauth]
Nov 9 18:28:57 OracleLinux sshd[1639]: Invalid user 888888 from 192.168.29.1 port 43725
Nov 9 18:28:57 OracleLinux sshd[1639]: pam_unix(sshd:auth): check pass; user unknown
Nov 9 18:28:57 OracleLinux sshd[1639]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.1
Nov 9 18:28:58 OracleLinux sshd[1641]: Invalid user 888888 from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45554
Entradas do Wireshark do mesmo IP, no dia seguinte:
Existe alguma chance de meus sistemas estarem comprometidos?