On Thu, Feb 12, 2009 at 12:57:21AM -0500, Norman Bird wrote: > I decided to check the auth.log and started freaking out because I saw alot > of POSSIBLE BREAK-IN lines. then I saw roon loging in so I was panicking. > But as I really reviewed them it seems that the actual root logins were by > CRON and the nobody logins were system related. Please look this over and > give any advice and particularily what should I do. > > Somewhere online said I should "boot with a root kit checker", feel free to > advise on this. > > I do need to log in via putty via ssh alot so I cant totally disable it. I > will beef up my password now and maybe change the port, but I need input on > that please, or a good site. > > Thanks > > Norm > > Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user > root by (uid=0) > Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user > root > Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user > root These above are syslog messages from cron, telling you root logged in , we more like cron changed userid to root to run something > Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string > from 66.212.18.86 > Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo > for alpha57.wqpax.net failed - POSSIBLE BREAK-IN > ATTEMPT! > Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= > rhost=66.212.18.86 user=root > Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from > 66.212.18.86 port 41396 ssh2 > Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo > for alpha57.wqpax.net failed - POSSIBLE BREAK-IN > ATTEMPT! rhost=66.212.18.86 this is ssh complaining about incorrect password being supplied, I presume you do not allow password authentication for root ! This is some script kiddie or mutant pc try brute attack against your sshd server, try fail2ban > > > then there is this, but it looks system related i think: > > [snip] > Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root > Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody > Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user > nobody by (uid=0) > Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user > nobody > Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root > Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody > Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user > nobody by (uid=0) > Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user > nobody > Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root > Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody > Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user > nobody by (uid=0) > Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user > nobody looks to me like a processes running as root su'ed from root to nobody [snip] > Is there another log that would show a definate successful breakin? > > thanks > > Norm apart from the brute force attack nothing really to worry about -- I never vote for anyone. I always vote against. -- W. C. Fields
Attachment:
signature.asc
Description: Digital signature