Veo esto en el archivo de registro de mi servidor Ubuntu:
en mi ssh mi usuario es root pero veo a otro usuario desconectado como "teamspeak", ¿Qué significa eso?
auth.log
Jul 3 21:39:01 vmi189193 CRON[25937]: pam_unix(cron:session): session closed for user root
Jul 3 21:40:13 vmi189193 sshd[26041]: Connection closed by 190.96.22.136 port 39351 [preauth]
Jul 3 21:41:30 vmi189193 sshd[26057]: Connection closed by 190.96.22.136 port 47828 [preauth]
Jul 3 21:42:48 vmi189193 sshd[26067]: Connection closed by 190.96.22.136 port 56306 [preauth]
Jul 3 21:44:05 vmi189193 sshd[26279]: Invalid user sammy from 82.202.219.155 port 51676
Jul 3 21:44:05 vmi189193 sshd[26279]: pam_unix(sshd:auth): check pass; user unknown
Jul 3 21:44:05 vmi189193 sshd[26279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.202.219.155
Jul 3 21:44:05 vmi189193 sshd[26283]: Connection closed by 190.96.22.136 port 64785 [preauth]
Jul 3 21:44:07 vmi189193 sshd[26279]: Failed password for invalid user sammy from 82.202.219.155 port 51676 ssh2
Jul 3 21:44:07 vmi189193 sshd[26279]: Connection closed by invalid user sammy 82.202.219.155 port 51676 [preauth]
Jul 3 21:45:22 vmi189193 sshd[26628]: Connection closed by 190.96.22.136 port 17263 [preauth]
Jul 3 21:46:38 vmi189193 sshd[27097]: Connection closed by 190.96.22.136 port 25740 [preauth]
Jul 3 21:47:55 vmi189193 sshd[27643]: Connection closed by 190.96.22.136 port 34217 [preauth]
Jul 3 21:49:12 vmi189193 sshd[28029]: Connection closed by 190.96.22.136 port 42696 [preauth]
Jul 3 21:50:28 vmi189193 sshd[28693]: Connection closed by 190.96.22.136 port 51173 [preauth]
Jul 3 21:51:43 vmi189193 sshd[29239]: Connection closed by 190.96.22.136 port 59649 [preauth]
Jul 3 21:52:59 vmi189193 sshd[29678]: Connection closed by 190.96.22.136 port 12126 [preauth]
Jul 3 21:53:24 vmi189193 sshd[29877]: Invalid user vbox from 198.245.63.135 port 37988
Jul 3 21:53:24 vmi189193 sshd[29877]: pam_unix(sshd:auth): check pass; user unknown
Jul 3 21:53:24 vmi189193 sshd[29877]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.245.63.135
Jul 3 21:53:26 vmi189193 sshd[29877]: Failed password for invalid user vbox from 198.245.63.135 port 37988 ssh2
Jul 3 21:53:26 vmi189193 sshd[29877]: Connection closed by invalid user vbox 198.245.63.135 port 37988 [preauth]
Jul 3 21:54:17 vmi189193 sshd[30249]: Connection closed by 190.96.22.136 port 20605 [preauth]
Jul 3 21:54:33 vmi189193 sshd[30329]: Invalid user teamspeak from 128.199.139.46 port 32772
Jul 3 21:54:33 vmi189193 sshd[30329]: pam_unix(sshd:auth): check pass; user unknown
Jul 3 21:54:33 vmi189193 sshd[30329]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.199.139.46
Jul 3 21:54:35 vmi189193 sshd[30329]: Failed password for invalid user teamspeak from 128.199.139.46 port 32772 ssh2
Jul 3 21:54:35 vmi189193 sshd[30329]: Received disconnect from 128.199.139.46 port 32772:11: Normal Shutdown, Thank you for playing [preauth]
Jul 3 21:54:35 vmi189193 sshd[30329]: Disconnected from invalid user teamspeak 128.199.139.46 port 32772 [preauth]
Jul 3 21:55:35 vmi189193 sshd[30642]: Connection closed by 190.96.22.136 port 29083 [preauth]
Jul 3 21:56:05 vmi189193 sshd[30763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=196.65.211.46 user=root
Jul 3 21:56:07 vmi189193 sshd[30763]: Failed password for root from 196.65.211.46 port 60656 ssh2
Jul 3 21:56:23 vmi189193 sshd[30804]: Invalid user test from 46.40.224.46 port 4627
Jul 3 21:56:23 vmi189193 sshd[30804]: pam_unix(sshd:auth): check pass; user unknown
Jul 3 21:56:23 vmi189193 sshd[30804]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=46.40.224.46
Jul 3 21:56:25 vmi189193 sshd[30804]: Failed password for invalid user test from 46.40.224.46 port 4627 ssh2
Jul 3 21:56:25 vmi189193 sshd[30804]: Received disconnect from 46.40.224.46 port 4627:11: Normal Shutdown, Thank you for playing [preauth]
Jul 3 21:56:25 vmi189193 sshd[30804]: Disconnected from invalid user test 46.40.224.46 port 4627 [preauth]closed for user root
Received disconnect from 128.199.139.46 port 32772:11: Normal Shutdown, Thank you for playing [preautI]
No usé esta ip "128.199.139.46" ¿Eso significa que alguien inició sesión en mi SSH?
syslog:
Jul 3 21:56:33 vmi189193 systemd[30808]: Startup finished in 92ms.
Jul 3 21:56:33 vmi189193 systemd[1]: Started User Manager for UID 0.
Jul 3 21:56:55 vmi189193 systemd[1]: Stopping OpenBSD Secure Shell server...
Jul 3 21:56:55 vmi189193 systemd[1]: Stopped OpenBSD Secure Shell server.
Jul 3 21:57:07 vmi189193 systemd[1]: Stopping User Manager for UID 0...
Jul 3 21:57:07 vmi189193 systemd[30808]: Stopped target Default.
Jul 3 21:57:07 vmi189193 systemd[30808]: Stopped target Basic System.
Jul 3 21:57:07 vmi189193 systemd[30808]: Stopped target Paths.
Jul 3 21:57:07 vmi189193 systemd[30808]: Stopped target Sockets.
Jul 3 21:57:07 vmi189193 systemd[30808]: Closed GnuPG cryptographic agent and passphrase cache (access for web browsers).
Jul 3 21:57:07 vmi189193 systemd[30808]: Closed GnuPG cryptographic agent and passphrase cache (restricted).
Jul 3 21:57:07 vmi189193 systemd[30808]: Closed GnuPG cryptographic agent and passphrase cache.
Jul 3 21:57:07 vmi189193 systemd[30808]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Jul 3 21:57:07 vmi189193 systemd[30808]: Closed GnuPG network certificate management daemon.
Jul 3 21:57:07 vmi189193 systemd[30808]: Reached target Shutdown.
Jul 3 21:57:07 vmi189193 systemd[30808]: Starting Exit the Session...
Jul 3 21:57:07 vmi189193 systemd[30808]: Stopped target Timers.
Jul 3 21:57:07 vmi189193 systemd[30808]: Received SIGRTMIN+24 from PID 30986 (kill).
Jul 3 21:57:07 vmi189193 systemd[1]: Stopped User Manager for UID 0.
Jul 3 21:57:07 vmi189193 systemd[1]: Removed slice User Slice of root.
apache2 / error.log:
[Tue Jul 03 21:45:28.709800 2018] [:error] [pid 21250] [client 196.65.211.46:63463] script '/var/www/html/wp-login.php' not found or unable to stat
[Tue Jul 03 21:45:51.223006 2018] [:error] [pid 6860] [client 196.65.211.46:55697] script '/var/www/html/p.php' not found or unable to stat
[Tue Jul 03 21:45:55.370434 2018] [:error] [pid 17177] [client 196.65.211.46:59635] script '/var/www/html/p.php' not found or unable to stat
Parece que intentó iniciar sesión en Wordpress pero no lo tengo.
No tengo mucha experiencia en seguridad, ¿es eso malo o fui hackeado?
Deshabilité ssh ( systemctl stop ssh
). ¿Qué puedo hacer ahora?