Re: POSSIBLE BREAK-IN in auth.log via ssh

To: debian-user@lists.debian.org
Subject: Re: POSSIBLE BREAK-IN in auth.log via ssh
From: Jochen Schulz <ml@well-adjusted.de>
Date: Thu, 12 Feb 2009 09:55:16 +0100
Message-id: <[🔎] 20090212085516.GN8868@wasteland.homelinux.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 8f0417560902112157r25a05ec6taefd638b6f35018e@mail.gmail.com>
References: <[🔎] 8f0417560902112157r25a05ec6taefd638b6f35018e@mail.gmail.com>

Norman Bird:

> I decided to check the auth.log and started freaking out because I saw alot
> of POSSIBLE BREAK-IN lines.

It says "possible break-in *attempt*". But either way, it is harmless.

And, by the way: do you think a smart attacker who gained root on your
machine would leave traces in the logs? I doubt it.

> then I saw roon loging in so I was panicking.

Don't panic. :)

> But as I really reviewed them it seems that the actual root logins were by
> CRON and the nobody logins were system related. Please look this over and
> give any advice and particularily what should I do.

You don't need to do anything.

> Somewhere online said I should "boot with a root kit checker", feel free to
> advise on this.

Root kit checkers, just as anti-virus programs, cannot reliably detect
anything. They report false positives as well as false negatives. But
the idea to boot from a known good medium is a good one. *If* your
system has been attacked successfully, you should never trust it to
report it to you. You always have to use another one.

> I do need to log in via putty via ssh alot so I cant totally disable it. I
> will beef up my password now and maybe change the port, but I need input on
> that please, or a good site.

Search for a howto on public key authentication. It's well documented
and protects your SSH server from all those password brute force
attacks.

> Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user
> root
> Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user
> root
> Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string
> from 66.212.18.86
> Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT!
> Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=66.212.18.86  user=root
> Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from
> 66.212.18.86 port 41396 ssh2
> Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT! rhost=66.212.18.86
> 
> 
> then there is this, but it looks system related i think:
> 
> 
> Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user
> root
> Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user
> root
> Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user
> root
> Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
> Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
> Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user
> nobody
> Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user
> root
> Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user
> root
> Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user
> root by (uid=0)
> Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user
> root by (uid=0)
> 
> Is there another log that would show a definate successful breakin?
> 
> thanks
> 
> Norm

-- 
We are lining up to see you fall flat on your face.
[Agree]   [Disagree]
                 <http://www.slowlydownward.com/NODATA/data_enter2.html>

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: POSSIBLE BREAK-IN in auth.log via ssh
  - From: Kevin Philp <lists@cybercolloids.net>

References:
- POSSIBLE BREAK-IN in auth.log via ssh
  - From: Norman Bird <steelpulsefan@gmail.com>

Prev by Date: Re: POSSIBLE BREAK-IN in auth.log via ssh
Next by Date: Re: converting ms word files
Previous by thread: Re: POSSIBLE BREAK-IN in auth.log via ssh
Next by thread: Re: POSSIBLE BREAK-IN in auth.log via ssh
Index(es):
- Date
- Thread