[ltp] Help with reading logs - Fedora Core 5, possible
break-in attempts
James House
linux-thinkpad@linux-thinkpad.org
Sun, 27 Aug 2006 02:56:09 -0500
You might also try denyhosts.
http://denyhosts.sourceforge.net/
You can install it in Fedora Core with yum, like this:
yum -y install denyhosts
Another package you might want to check out it chkrootkit.
http://www.chkrootkit.org/
You can also install it in Fedora Core with yum, like this:
yum -y install chkrootkit
I hope this helps.
James House
On Wed, 2006-08-23 at 12:39 -0400, Nate wrote:
> Hello list,
>
> I've been getting logwatches forwarded to my e-mail address. However I'm
> not an expert but some scary things seem to be going on. At least today
> the log, for the first time, said that a possible break-in attempt
> occurred. Well, I already guessed that since I was getting many login
> attempts at lots of different usernames. The log is at the bottom of my
> message.
>
> A couple things:
> What is user beagleindex? Googling this word is not sufficient, nor does
> man -k.
> It looks like someone was actually successful in logging in as root! Am
> I right?
> Also, sshd was stopped and started. Would the system have done this for
> any reason?
>
> I turned the firewall on, so no one can logon remotely. But I do need to
> use scp transfers occasionally. Can anyone suggest some good
> security-minded tutorials, websites, or steps that I should take next?
>
> Thanks,
> Nathan
>
> ################### Logwatch 7.2.1 (01/18/06) ####################
> Processing Initiated: Wed Aug 23 04:02:31 2006
> Date Range Processed: yesterday
> ( 2006-Aug-22 )
> Period is day.
> Detail Level of Output: 0
> Type of Output: unformatted
> Logfiles for Host: blackbox
> ##################################################################
>
> --------------------- pam_unix Begin ------------------------
>
> sshd:
> Authentication Failures:
> unknown (66.111.51.160): 17 Time(s)
> daemon (66.111.51.160): 1 Time(s)
> root (66.111.51.160): 1 Time(s)
> root (premierhostonline.com): 1 Time(s)
> Invalid Users:
> Unknown Account: 17 Time(s)
>
> su:
> Sessions Opened:
> (uid=0) -> beagleindex: 2 Time(s)
> (uid=0) -> nate: 2 Time(s)
> (uid=500) -> root: 1 Time(s)
> nate(uid=500) -> root: 1 Time(s)
>
>
> ---------------------- pam_unix End -------------------------
>
>
> --------------------- SSHD Begin ------------------------
>
>
> SSHD Killed: 1 Time(s)
>
> SSHD Started: 1 Time(s)
>
> Failed logins from:
> 66.111.51.160 (unknown.sagonet.net): 4 times
> 69.42.69.18 (premierhostonline.com): 2 times
> 80.87.64.115 (nms.ghanatel.com.gh): 2 times
> 200.155.177.18 (200-155-177-18.static.spo.ifx.net.br): 3 times
>
> Illegal users from:
> 66.111.51.160 (unknown.sagonet.net): 34 times
> 80.87.64.115 (nms.ghanatel.com.gh): 951 times
> 200.155.177.18 (200-155-177-18.static.spo.ifx.net.br): 6 times
> 210.114.220.100: 17 times
>
> Users logging in through sshd:
> root:
> 69.42.69.18 (premierhostonline.com): 2 times
>
>
> Received disconnect:
> 11: Bye Bye : 981 Time(s)
>
> Could not get shadow information for:
> NOUSER : 17 Time(s)
>
> **Unmatched Entries**
> pam_succeed_if(sshd:auth): error retrieving information about user library : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user mysql : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user protector : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user appserver : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user test : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user tester : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user admin : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user oracle : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user windowserver : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user guest : 1 time(s)
> syslogin_perform_logout: logout() returned an error : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user delta : 1 time(s)
> reverse mapping checking getaddrinfo for unknown.sagonet.net failed - POSSIBLE BREAK-IN ATTEMPT! : 19 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user testing : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user master : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user skylyn : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user masters : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user academy : 1 time(s)
>
> ---------------------- SSHD End -------------------------
>
>
> --------------------- Sudo (secure-log) Begin ------------------------
>
> ==============================================================================
> nate => root
> ------------------------------------------------------------------------------
> /bin/vi default.conf/logwatch.conf
>
> ---------------------- Sudo (secure-log) End -------------------------
>
>
> --------------------- Disk Space Begin ------------------------
>
> Filesystem Size Used Avail Use% Mounted on
> /dev/mapper/VolGroup00-LogVol00 7.5G 6.0G 1.1G 85% /
> /dev/sda1 230G 172G 46G 79% /mnt/usb1a
> /dev/hda1 29G 15G 14G 53% /mnt/hda1
> /dev/hda2 99M 14M 80M 15% /boot
>
>
> ---------------------- Disk Space End -------------------------
>
>
> ###################### Logwatch End #########################
>
>
>