Don't forget to check for a rootkit, or to be even safer, just resintall the OS from scratch and the data from a back up.
There is a chkrootkit and a rkhunter, I believe, that will check for rootkits. Vern Rob Ludwick wrote: > Jon, > > 92.55.82.121 is listed in Dshield.org database, as an attacker 3 times. > Possibly from Macedonia. > > 62.162.164.116 is in a block assigned to Macedonia, it appears 0 times > in the Dshield.org database. > > Considering that both came from Macedonia, one with a hit on Dshield, I > would say that yes. It's safe to assume you've been hacked. > > If you've noticed, there may have been a lot of activity on port 22, > with a lot of rejections on the same IP within maybe within a span of 30 > minutes. Then there's another IP address that scans the next day with > another set of usernames and passwords. That's been pretty standard for > about 2 or 3 years now. > > So I would figure out if they had any access to boxes on that network as > well. Putting nologin in /etc/passwd is good, but they may have been > going on for a while, and that may not be their only avenue of entry. > > And when you determine the list of boxes they had entered on your > network, reformat them and put a fresh install of software on. > > And if you did any banking with those boxes, it would be wise to change > account passwords. As well as any other account you consider > confidential that you accessed from those machines. > > --R > > On Sun, 2008-08-03 at 11:20 -0400, Jon wrote: >> In the last few weeks I poked a hole through my router to SSH into my >> box at home from the road. >> >> I was just scrounging thru the auth.log with `grep 'Accepted password >> for' ./auth.log* | less` >> >> And got this: >> >> ./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: Accepted >> password for jon from 216.155.176.39 port 5873 ssh2 >> ./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: Accepted >> password for jon from 216.155.176.39 port 4689 ssh2 >> ./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: Accepted >> password for jon from 192.168.1.104 port 40752 ssh2 >> ./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: Accepted >> password for jon from 192.168.1.104 port 40755 ssh2 >> ./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: Accepted >> password for jon from 192.168.1.104 port 40757 ssh2 >> ./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: Accepted >> password for jon from 192.168.1.104 port 43941 ssh2 >> ./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: Accepted >> password for jon from 192.168.1.104 port 43942 ssh2 >> ./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: Accepted >> password for jon from 192.168.1.104 port 46126 ssh2 >> ./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: Accepted >> password for jon from 192.168.1.104 port 42032 ssh2 >> ./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: Accepted >> password for jon from 216.155.176.39 port 21045 ssh2 >> ./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: Accepted >> password for jon from 216.155.176.39 port 21283 ssh2 >> ./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: Accepted >> password for jon from 216.155.176.39 port 20307 ssh2 >> ./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: Accepted >> password for jon from 216.155.176.39 port 20229 ssh2 >> ./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: Accepted >> password for jon from 216.155.176.39 port 17171 ssh2 >> ./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: Accepted >> password for postgres from port 63075 ssh2 >> ./auth.log.0:Aug 1 03:20:35 nichtscheissen sshd[11115]: Accepted >> password for postgres from 62.162.164.116 port 1283 ssh2 >> ./auth.log.0:Aug 1 03:31:04 nichtscheissen sshd[11368]: Accepted >> password for postgres from 62.162.164.116 port 1685 ssh2 >> ./auth.log.0:Aug 1 11:04:02 nichtscheissen sshd[18404]: Accepted >> password for postgres from 62.162.164.116 port 3262 ssh2 >> ./auth.log.0:Aug 1 13:41:06 nichtscheissen sshd[20845]: Accepted >> password for postgres from 92.55.82.121 port 64237 ssh2 >> >> The logins for me from the 216 address are kosher. Thats me from work. >> >> Its the logins for postgres that concern me. >> >> What I've done so far is changed the postgres users shell >> to /usr/sbin/nologin. >> >> Any ideas whats going on here? How concerned should I be about these >> successful logins? >> > > > _______________________________________________ > Fwlug mailing list > [email protected] > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org -- This time for sure! -Bullwinkle J. Moose ----------------------------- Vern Ceder, Director of Technology Canterbury School, 3210 Smith Road, Ft Wayne, IN 46804 [EMAIL PROTECTED]; 260-436-0746; FAX: 260-436-5137 _______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
