help

Jose R R jose.r.r at metztli.com
Sat Jan 30 06:47:26 UTC 2010 

On Wed, Jan 27, 2010 at 9:59 PM, Joy Methew <ml4joy at gmail.com> wrote:
> Hello all,
>                    i m using RHEL5.3 as a my mail server with real ip.i
> configure my system mostly remotely.last login time of my system 27 jan
> from   this ip 118.129.153.43.
> than i try to login at 28 jan in morning so i can`t got authentication as
> root from my last password.
> than i reboot the system reset my password.
> i login as a root than i run "last" command i m sending tha first 10 lines
> of last command...i thinks someone hack my system.i am sending history
> command output.
> now i remove .ssh directory and /var/tmp/*
>
> please suggest wat is this??
>
> thanks
>
> last command out put:
> root     pts/1        117.199.118.234  Thu Jan 28 10:58   still logged in
> root     pts/0        117.199.118.234  Thu Jan 28 10:49   still logged in
> root     tty1                          Thu Jan 28 10:48 - 10:52  (00:04)
> reboot   system boot  2.6.18-128.el5PA Thu Jan 28 10:45          (00:25)
> root     pts/2        165.red-79-153-1 Thu Jan 28 01:42 - 01:52  (00:09)
> root     pts/2        165.red-79-153-1 Wed Jan 27 23:02 - 01:27  (02:25)
> root     pts/2        165.red-79-153-1 Wed Jan 27 22:33 - 22:34  (00:00)
> root     pts/3        165.red-79-153-1 Wed Jan 27 22:32 - 22:33  (00:00)
> root     pts/2        118.129.153.43   Wed Jan 27 22:31 - 22:32  (00:01)
> root     pts/2        117.199.114.189  Wed Jan 27 15:47 - 15:51  (00:03)
>
> What is 165.red-79........this is nt my ip.
>
>
> History Output

Here is an interesting twist on the story. On January 29 at 16:01:26
(America/Tijuana time zone or GMT-8) IP 118.129.153.43 attempted to
log into my host using root username.  After a couple(actually 3)
tries it was blocked and I have notified security at bora.net,
cert at krcert.or.kr

Jan 29 16:01:26 [myHost-name] sshd[5758]: User root from 118.129.153.43 [...]
Jan 29 16:01:26 [myHost-name] sshd[5758]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=118.129.153.43  user=root
Jan 29 16:01:26 [myHost-name] sshd[5760]: User root from 118.129.153.43 [...]
Jan 29 16:01:26 [myHost-name] sshd[5760]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=118.129.153.43  user=root
Jan 29 16:01:26 [myHost-name] sshd[5761]: User root from 118.129.153.43 [...]
Jan 29 16:01:26 [myHost-name] sshd[5761]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=118.129.153.43  user=root
Jan 29 16:01:28 [myHost-name] sshd[5758]: Failed password for invalid
user root from 118.129.153.43 port 62771 ssh2
Jan 29 16:01:28 [myHost-name] sshd[5760]: Failed password for invalid
user root from 118.129.153.43 port 56897 ssh2
Jan 29 16:01:29 [myHost-name] sshd[5761]: Failed password for invalid
user root from 118.129.153.43 port 48669 ssh2

Best Regards.


-- 
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
IBM Lotus Symphony supported on GNU/Linux, Mac OS, and Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada starts: Sunday 08 March 2009
---------------------------------------------------------------------------------------------

More information about the redhat-list mailing list