[ltp] Help with reading logs - Fedora Core 5, possible break-in attempts

Nate linux-thinkpad@linux-thinkpad.org
Wed, 23 Aug 2006 12:39:15 -0400 

Hello list,

I've been getting logwatches forwarded to my e-mail address. However I'm 
not an expert but some scary things seem to be going on. At least today 
the log, for the first time, said that a possible break-in attempt 
occurred. Well, I already guessed that since I was getting many login 
attempts at lots of different usernames. The log is at the bottom of my 
message.

A couple things:
What is user beagleindex? Googling this word is not sufficient, nor does 
man -k.
It looks like someone was actually successful in logging in as root! Am 
I right?
Also, sshd was stopped and started. Would the system have done this for 
any reason?

I turned the firewall on, so no one can logon remotely. But I do need to 
use scp transfers occasionally. Can anyone suggest some good 
security-minded tutorials, websites, or steps that I should take next?

Thanks,
Nathan

################### Logwatch 7.2.1 (01/18/06) #################### 
        Processing Initiated: Wed Aug 23 04:02:31 2006
        Date Range Processed: yesterday
                              ( 2006-Aug-22 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: blackbox
  ################################################################## 
 
 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       unknown (66.111.51.160): 17 Time(s)
       daemon (66.111.51.160): 1 Time(s)
       root (66.111.51.160): 1 Time(s)
       root (premierhostonline.com): 1 Time(s)
    Invalid Users:
       Unknown Account: 17 Time(s)
 
 su:
    Sessions Opened:
       (uid=0) -> beagleindex: 2 Time(s)
       (uid=0) -> nate: 2 Time(s)
       (uid=500) -> root: 1 Time(s)
       nate(uid=500) -> root: 1 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 

 
 --------------------- SSHD Begin ------------------------ 

 
 SSHD Killed: 1 Time(s)
 
 SSHD Started: 1 Time(s)
 
 Failed logins from:
    66.111.51.160 (unknown.sagonet.net): 4 times
    69.42.69.18 (premierhostonline.com): 2 times
    80.87.64.115 (nms.ghanatel.com.gh): 2 times
    200.155.177.18 (200-155-177-18.static.spo.ifx.net.br): 3 times
 
 Illegal users from:
    66.111.51.160 (unknown.sagonet.net): 34 times
    80.87.64.115 (nms.ghanatel.com.gh): 951 times
    200.155.177.18 (200-155-177-18.static.spo.ifx.net.br): 6 times
    210.114.220.100: 17 times
 
 Users logging in through sshd:
    root:
       69.42.69.18 (premierhostonline.com): 2 times
 
 
 Received disconnect:
    11: Bye Bye : 981 Time(s)
 
 Could not get shadow information for:
    NOUSER : 17 Time(s)
 
 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user library : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user mysql : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user protector : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user appserver : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user test : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user tester : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user admin : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user oracle : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user windowserver : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user guest : 1 time(s)
 syslogin_perform_logout: logout() returned an error : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user delta : 1 time(s)
 reverse mapping checking getaddrinfo for unknown.sagonet.net failed - POSSIBLE BREAK-IN ATTEMPT! : 19 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user testing : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user master : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user skylyn : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user masters : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user academy : 1 time(s)
 
 ---------------------- SSHD End ------------------------- 

 
 --------------------- Sudo (secure-log) Begin ------------------------ 

 ==============================================================================
 nate => root
 ------------------------------------------------------------------------------
 /bin/vi default.conf/logwatch.conf
 
 ---------------------- Sudo (secure-log) End ------------------------- 

 
 --------------------- Disk Space Begin ------------------------ 

 Filesystem                            Size   Used  Avail Use%  Mounted on
 /dev/mapper/VolGroup00-LogVol00       7.5G   6.0G   1.1G  85%  /
 /dev/sda1                             230G   172G    46G  79%  /mnt/usb1a
 /dev/hda1                              29G    15G    14G  53%  /mnt/hda1
 /dev/hda2                              99M    14M    80M  15%  /boot
 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End #########################