[fwlug] Interpreting my auth.log, have I been compromised?

Jon Sun, 03 Aug 2008 08:21:54 -0700

In the last few weeks I poked a hole through my router to SSH into my
box at home from the road.


I was just scrounging thru the auth.log with `grep 'Accepted password
for' ./auth.log* | less`

And got this:

./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: Accepted
password for jon from 216.155.176.39 port 5873 ssh2
./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: Accepted
password for jon from 216.155.176.39 port 4689 ssh2
./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: Accepted
password for jon from 192.168.1.104 port 40752 ssh2
./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: Accepted
password for jon from 192.168.1.104 port 40755 ssh2
./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: Accepted
password for jon from 192.168.1.104 port 40757 ssh2
./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: Accepted
password for jon from 192.168.1.104 port 43941 ssh2
./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: Accepted
password for jon from 192.168.1.104 port 43942 ssh2
./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: Accepted
password for jon from 192.168.1.104 port 46126 ssh2
./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: Accepted
password for jon from 192.168.1.104 port 42032 ssh2
./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: Accepted
password for jon from 216.155.176.39 port 21045 ssh2
./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: Accepted
password for jon from 216.155.176.39 port 21283 ssh2
./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: Accepted
password for jon from 216.155.176.39 port 20307 ssh2
./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: Accepted
password for jon from 216.155.176.39 port 20229 ssh2
./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: Accepted
password for jon from 216.155.176.39 port 17171 ssh2
./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: Accepted
password for postgres from 92.55.82.121 port 63075 ssh2
./auth.log.0:Aug  1 03:20:35 nichtscheissen sshd[11115]: Accepted
password for postgres from 62.162.164.116 port 1283 ssh2
./auth.log.0:Aug  1 03:31:04 nichtscheissen sshd[11368]: Accepted
password for postgres from 62.162.164.116 port 1685 ssh2
./auth.log.0:Aug  1 11:04:02 nichtscheissen sshd[18404]: Accepted
password for postgres from 62.162.164.116 port 3262 ssh2
./auth.log.0:Aug  1 13:41:06 nichtscheissen sshd[20845]: Accepted
password for postgres from 92.55.82.121 port 64237 ssh2

The logins for me from the 216 address are kosher. Thats me from work.

Its the logins for postgres that concern me.

What I've done so far is changed the postgres users shell
to /usr/sbin/nologin.

Any ideas whats going on here? How concerned should I be about these
successful logins?

-- 
--
Jon Bartels
[EMAIL PROTECTED]


_______________________________________________
Fwlug mailing list
[email protected]
http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org

[fwlug] Interpreting my auth.log, have I been compromised?

Reply via email to