Norman Bird: > I decided to check the auth.log and started freaking out because I saw alot > of POSSIBLE BREAK-IN lines.
It says "possible break-in *attempt*". But either way, it is harmless.
And, by the way: do you think a smart attacker who gained root on your
machine would leave traces in the logs? I doubt it.
> then I saw roon loging in so I was panicking.
Don't panic. :)
> But as I really reviewed them it seems that the actual root logins were by
> CRON and the nobody logins were system related. Please look this over and
> give any advice and particularily what should I do.
You don't need to do anything.
> Somewhere online said I should "boot with a root kit checker", feel free to
> advise on this.
Root kit checkers, just as anti-virus programs, cannot reliably detect
anything. They report false positives as well as false negatives. But
the idea to boot from a known good medium is a good one. *If* your
system has been attacked successfully, you should never trust it to
report it to you. You always have to use another one.
> I do need to log in via putty via ssh alot so I cant totally disable it. I
> will beef up my password now and maybe change the port, but I need input on
> that please, or a good site.
Search for a howto on public key authentication. It's well documented
and protects your SSH server from all those password brute force
attacks.
> Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user
> root
> Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user
> root
> Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string
> from 66.212.18.86
> Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT!
> Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=66.212.18.86 user=root
> Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from
> 66.212.18.86 port 41396 ssh2
> Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT! rhost=66.212.18.86
>
>
> then there is this, but it looks system related i think:
>
>
> Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user
> root
> Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user
> root
> Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user
> root
> Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
> Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
> Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user
> nobody
> Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user
> root
> Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user
> root
> Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user
> root by (uid=0)
>
> Is there another log that would show a definate successful breakin?
>
> thanks
>
> Norm
--
We are lining up to see you fall flat on your face.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
signature.asc
Description: Digital signature
