Re: could you help interpret my logs?

[Randy Kelsoe <randykel swbell net>]

Alexander Dalloz wrote:

> > sshd:
> >   Authentication Failures:
> >      root (209.67.215.146): 59 Time(s)
> >      adm (209.67.215.146): 2 Time(s)
> >      apache (209.67.215.146): 1 Time(s)
> >      cyrus (209.67.215.146): 1 Time(s)
> >      matt (209.67.215.146): 1 Time(s)
> >      mysql (209.67.215.146): 1 Time(s)
> >      nobody (209.67.215.146): 1 Time(s)
> >      operator (209.67.215.146): 1 Time(s)
> >    
>
> Hm, this looks like a strategic attempt. The SSH attacks I know do not
> try accounts like cyrus or apache.
>  
I just had the same attack on one of my servers last night from the same 
IP address. It  looks like they modified a script to add all these extra 
users. He saw "Unknown Account: 40 time(s)" and I saw

sshd:
  Invalid Users:
     Unknown Account: 42 Time(s)
So I am wondering if he has the cyrus and news accounts activated.

I also had an attempt last week that tried to login as root, admin, 
test, and guest, then tried unsuccessfully to login as root 3,415 times. 
I have the "PermitRootLogin no" set in my /etc/ssh/sshd_config  file, so 
they should not be able to get in even if they do guess the root password.

>  
>
> > su:
> >   Sessions Opened:
> >      (uid=0) -> julian: 2 Time(s)
> >      (uid=0) -> cyrus: 1 Time(s)
> >      (uid=0) -> news: 1 Time(s)
> >      julian(uid=500) -> root: 1 Time(s)
> >
> > It also looks like the attacker was successful in logging in as cyrus
> > and news.  Is this possible?  Could this be potentially damaging to my
> > system?  Or is this something normal which I am overlooking?
> >    
>
> From what do you conclude that the attacker logged in as cyrus and news?
> I would think it was you as root doing so by running "su - $username".
> (One time su'ing from julian to root.) The logwatch entries point to su
> actions. If it wasn't you, then switch off the machine from net, as a
> foreign person has root control over the host.
>  

He could look in the /var/log/secure(.X) file and see if there was a 
successful login as cyrus and/or news, and also look at when the login 
occurred. He could also look at the /etc/shadow file to see if the cyrus 
and news accounts are disabled. The hacker could have covered his tracks 
by editing the /var/log/secure file, but it's doubtful since he did not 
edit out the unsuccessful attempts. Like Alexander said, it looks like 
someone was logged in as root, and did an su to cyrus and news.  When I 
have seen these intrusion attempts, I have been blocking the host and 
its IP range at the firewall.