[ltp] Help with reading logs - Fedora Core 5, possible break-in attempts

Andrew Barr linux-thinkpad@linux-thinkpad.org
Wed, 23 Aug 2006 14:30:09 -0400


On Wed, 2006-08-23 at 12:39 -0400, Nate wrote:
> Hello list,
> 
> I've been getting logwatches forwarded to my e-mail address. However I'm 
> not an expert but some scary things seem to be going on. At least today 
> the log, for the first time, said that a possible break-in attempt 
> occurred. Well, I already guessed that since I was getting many login 
> attempts at lots of different usernames. The log is at the bottom of my 
> message.
> 
> A couple things:
> What is user beagleindex? Googling this word is not sufficient, nor does 
> man -k.

This is the Beagle desktop search software. It is probably a part of
Fedora Core 5 by default.

http://beagle-project.org/Main_Page

> It looks like someone was actually successful in logging in as root! Am 
> I right?

Yes, unfortunately it does look like it.

> Also, sshd was stopped and started. Would the system have done this for 
> any reason?
> 
> I turned the firewall on, so no one can logon remotely. But I do need to 
> use scp transfers occasionally. Can anyone suggest some good 
> security-minded tutorials, websites, or steps that I should take next?

Look for a tutorial on setting up public key authentication with sshd.
It is not only safer but can be more convenient for you. Once you set
that up disable tunneled clear text passwords (the default), and this
will foil 99.9% of remote SSH break-in attempts, even if they have the
correct password for a given user. 

Of course, your passwords for your desktop user and root account should
not be easily guessable anyway.

> Thanks,
> Nathan
> 
> ################### Logwatch 7.2.1 (01/18/06) #################### 
>         Processing Initiated: Wed Aug 23 04:02:31 2006
>         Date Range Processed: yesterday
>                               ( 2006-Aug-22 )
>                               Period is day.
>       Detail Level of Output: 0
>               Type of Output: unformatted
>            Logfiles for Host: blackbox
>   ################################################################## 
>  
>  --------------------- pam_unix Begin ------------------------ 
> 
>  sshd:
>     Authentication Failures:
>        unknown (66.111.51.160): 17 Time(s)
>        daemon (66.111.51.160): 1 Time(s)
>        root (66.111.51.160): 1 Time(s)
>        root (premierhostonline.com): 1 Time(s)
>     Invalid Users:
>        Unknown Account: 17 Time(s)
>  
>  su:
>     Sessions Opened:
>        (uid=0) -> beagleindex: 2 Time(s)
>        (uid=0) -> nate: 2 Time(s)
>        (uid=500) -> root: 1 Time(s)
>        nate(uid=500) -> root: 1 Time(s)
>  
> 
>  ---------------------- pam_unix End ------------------------- 
> 
>  
>  --------------------- SSHD Begin ------------------------ 
> 
>  
>  SSHD Killed: 1 Time(s)
>  
>  SSHD Started: 1 Time(s)
>  
>  Failed logins from:
>     66.111.51.160 (unknown.sagonet.net): 4 times
>     69.42.69.18 (premierhostonline.com): 2 times
>     80.87.64.115 (nms.ghanatel.com.gh): 2 times
>     200.155.177.18 (200-155-177-18.static.spo.ifx.net.br): 3 times
>  
>  Illegal users from:
>     66.111.51.160 (unknown.sagonet.net): 34 times
>     80.87.64.115 (nms.ghanatel.com.gh): 951 times
>     200.155.177.18 (200-155-177-18.static.spo.ifx.net.br): 6 times
>     210.114.220.100: 17 times

You'll get these no matter what you do--I see them all the time on my
"server" machine that is directly attached to my Road Runner modem. They
failed to log in and that's good. It's harmless as long as they are
denied access.

>  Users logging in through sshd:
>     root:
>        69.42.69.18 (premierhostonline.com): 2 times

If you're sure this isn't you or someone you know and trust than this is
bad and you might have been compromised. Look at log files for possible
tracks this person left behind, although because they got root they
possibly could have covered their tracks. I'm sure you can find better
advice than I could give you on searching for rootkits and the like on
the Web. Here's some basic stuff to look at:

1) processes that are listening on strange ports (do 'netstat -ltup' as
root)
2) processes that might not belong ('pstree' can help, so can 'ps aux')
3) files, especially executables, and directories that are out of place
4) new users and groups in /etc/passwd and /etc/group

Additionally you might look in the 'whois' database for that IP address
and investigate reporting this incident to the revelant 'abuse' handle.

-- 
Andrew Barr | http://www.oakcourt.dyndns.org/~andrew/

All parts should go together without forcing. You must remember that
the parts you are reassembling were disassembled by you. Therefore, if
you can't get them together again, there must be a reason. By all
means, do not use a hammer.
  -- IBM maintenance manual (1925)