Luci Log Concerns (ARM300M)

glitch · March 23, 2017, 5:28pm

Hi.
I found this in my log in Luci - can anyone explain what it is and / or is it anything to do with GL?

Thu Mar 23 09:18:40 2017 authpriv.info dropbear[7335]: Child connection from 122.189.193.72:57158
Thu Mar 23 09:18:43 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:43 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:44 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:45 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:46 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:47 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:48 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:48 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:49 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:50 2017 authpriv.warn dropbear[7335]: Bad password attempt for ‘root’ from 122.189.193.72:57158
Thu Mar 23 09:18:50 2017 authpriv.info dropbear[7335]: Exit before auth (user ‘root’, 10 fails): Max auth tries reached - user ‘root’ from 122.189.193.72:57158

Edit: now getting a “probe” from 122.171.171.206

TIA,
Glitch

lostdog · March 23, 2017, 11:56pm

A whois of that address shows it’s coming from China (probably near Beijing). Very common for hackers to scan IP addresses until they find an open port then try to exploit or connect. They were blocked by dropbear but it won’t stop them from trying again as you’ve found. Make sure you’ve got very good passwords and/or turn off remote administration / ssh from WAN.