On Thu, Feb 12, 2009 at 12:57:21AM -0500, Norman Bird wrote: > I decided to check the auth.log and started freaking out because I saw alot > of POSSIBLE BREAK-IN lines. then I saw roon loging in so I was panicking. > But as I really reviewed them it seems that the actual root logins were by > CRON and the nobody logins were system related. Please look this over and > give any advice and particularily what should I do. > > Somewhere online said I should "boot with a root kit checker", feel free to > advise on this. > > I do need to log in via putty via ssh alot so I cant totally disable it. I > will beef up my password now and maybe change the port, but I need input on > that please, or a good site. > > Thanks > > Norm > > Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user > root by (uid=0) > Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user > root > Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user > root
These above are syslog messages from cron, telling you root logged in ,
we more like cron changed userid to root to run something
> Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string
> from 66.212.18.86
> Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT!
> Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=66.212.18.86 user=root
> Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from
> 66.212.18.86 port 41396 ssh2
> Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo
> for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
> ATTEMPT! rhost=66.212.18.86
this is ssh complaining about incorrect password being supplied, I
presume you do not allow password authentication for root !
This is some script kiddie or mutant pc try brute attack against your
sshd server, try fail2ban
>
>
> then there is this, but it looks system related i think:
>
>
[snip]
> Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
> Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user
> nobody
> Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
> Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
> Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user
> nobody by (uid=0)
> Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user
> nobody
looks to me like a processes running as root su'ed from root to nobody
[snip]
> Is there another log that would show a definate successful breakin?
>
> thanks
>
> Norm
apart from the brute force attack nothing really to worry about
--
I never vote for anyone. I always vote against.
-- W. C. Fields
signature.asc
Description: Digital signature
