[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: could you help interpret my logs?



Alexander Dalloz wrote:

sshd:
Authentication Failures:
root (209.67.215.146): 59 Time(s)
adm (209.67.215.146): 2 Time(s)
apache (209.67.215.146): 1 Time(s)
cyrus (209.67.215.146): 1 Time(s)
matt (209.67.215.146): 1 Time(s)
mysql (209.67.215.146): 1 Time(s)
nobody (209.67.215.146): 1 Time(s)
operator (209.67.215.146): 1 Time(s)



Hm, this looks like a strategic attempt. The SSH attacks I know do not
try accounts like cyrus or apache.


I just had the same attack on one of my servers last night from the same IP address. It looks like they modified a script to add all these extra users. He saw "Unknown Account: 40 time(s)" and I saw

sshd:
  Invalid Users:
     Unknown Account: 42 Time(s)
So I am wondering if he has the cyrus and news accounts activated.

I also had an attempt last week that tried to login as root, admin, test, and guest, then tried unsuccessfully to login as root 3,415 times. I have the "PermitRootLogin no" set in my /etc/ssh/sshd_config file, so they should not be able to get in even if they do guess the root password.



su:
  Sessions Opened:
     (uid=0) -> julian: 2 Time(s)
     (uid=0) -> cyrus: 1 Time(s)
     (uid=0) -> news: 1 Time(s)
     julian(uid=500) -> root: 1 Time(s)

It also looks like the attacker was successful in logging in as cyrus
and news. Is this possible? Could this be potentially damaging to my
system? Or is this something normal which I am overlooking?



From what do you conclude that the attacker logged in as cyrus and news?
I would think it was you as root doing so by running "su - $username".
(One time su'ing from julian to root.) The logwatch entries point to su
actions. If it wasn't you, then switch off the machine from net, as a
foreign person has root control over the host.



He could look in the /var/log/secure(.X) file and see if there was a successful login as cyrus and/or news, and also look at when the login occurred. He could also look at the /etc/shadow file to see if the cyrus and news accounts are disabled. The hacker could have covered his tracks by editing the /var/log/secure file, but it's doubtful since he did not edit out the unsuccessful attempts. Like Alexander said, it looks like someone was logged in as root, and did an su to cyrus and news. When I have seen these intrusion attempts, I have been blocking the host and its IP range at the firewall.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]