Damn it. Given a choice I would prefer to take the longer, slightly riskier route of repairing rather than reinstalling.
The only other machines on the network are my wifes Mac (how can I review logins on that?) and my throwaway laptop (will be rebuilt). What I'm expecting is that from the postgres account the user would have full access to anything running on postgres as well as whatever read access a normal user would have. The only "sensitive" operations I do on that machine are online banking, so I'll generate some new passwords at work and wipe out my keepass file at home. On Sun, Aug 3, 2008 at 10:39 PM, Rob Ludwick <[EMAIL PROTECTED]> wrote: > Yeah I agree and run the root kit detector from a bootable cdrom or usb > key, using a known linux kernel that has not been corrupted. > > There are rootkits that hide the existence of themselves by loading a > special kernel module that prevents root from seeing certain files, > processes, and other things necessary to detect their presence. > > --R > > On Sun, 2008-08-03 at 22:09 -0400, Vern Ceder wrote: > > Don't forget to check for a rootkit, or to be even safer, just resintall > > the OS from scratch and the data from a back up. > > > > There is a chkrootkit and a rkhunter, I believe, that will check for > > rootkits. > > > > Vern > > > > Rob Ludwick wrote: > > > Jon, > > > > > > 92.55.82.121 is listed in Dshield.org database, as an attacker 3 > times. > > > Possibly from Macedonia. > > > > > > 62.162.164.116 is in a block assigned to Macedonia, it appears 0 times > > > in the Dshield.org database. > > > > > > Considering that both came from Macedonia, one with a hit on Dshield, I > > > would say that yes. It's safe to assume you've been hacked. > > > > > > If you've noticed, there may have been a lot of activity on port 22, > > > with a lot of rejections on the same IP within maybe within a span of > 30 > > > minutes. Then there's another IP address that scans the next day with > > > another set of usernames and passwords. That's been pretty standard > for > > > about 2 or 3 years now. > > > > > > So I would figure out if they had any access to boxes on that network > as > > > well. Putting nologin in /etc/passwd is good, but they may have been > > > going on for a while, and that may not be their only avenue of entry. > > > > > > And when you determine the list of boxes they had entered on your > > > network, reformat them and put a fresh install of software on. > > > > > > And if you did any banking with those boxes, it would be wise to change > > > account passwords. As well as any other account you consider > > > confidential that you accessed from those machines. > > > > > > --R > > > > > > On Sun, 2008-08-03 at 11:20 -0400, Jon wrote: > > >> In the last few weeks I poked a hole through my router to SSH into my > > >> box at home from the road. > > >> > > >> I was just scrounging thru the auth.log with `grep 'Accepted password > > >> for' ./auth.log* | less` > > >> > > >> And got this: > > >> > > >> ./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: Accepted > > >> password for jon from 216.155.176.39 port 5873 ssh2 > > >> ./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: Accepted > > >> password for jon from 216.155.176.39 port 4689 ssh2 > > >> ./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: Accepted > > >> password for jon from 192.168.1.104 port 40752 ssh2 > > >> ./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: Accepted > > >> password for jon from 192.168.1.104 port 40755 ssh2 > > >> ./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: Accepted > > >> password for jon from 192.168.1.104 port 40757 ssh2 > > >> ./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: Accepted > > >> password for jon from 192.168.1.104 port 43941 ssh2 > > >> ./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: Accepted > > >> password for jon from 192.168.1.104 port 43942 ssh2 > > >> ./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: Accepted > > >> password for jon from 192.168.1.104 port 46126 ssh2 > > >> ./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: Accepted > > >> password for jon from 192.168.1.104 port 42032 ssh2 > > >> ./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: Accepted > > >> password for jon from 216.155.176.39 port 21045 ssh2 > > >> ./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: Accepted > > >> password for jon from 216.155.176.39 port 21283 ssh2 > > >> ./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: Accepted > > >> password for jon from 216.155.176.39 port 20307 ssh2 > > >> ./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: Accepted > > >> password for jon from 216.155.176.39 port 20229 ssh2 > > >> ./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: Accepted > > >> password for jon from 216.155.176.39 port 17171 ssh2 > > >> ./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: Accepted > > >> password for postgres from port 63075 ssh2 > > >> ./auth.log.0:Aug 1 03:20:35 nichtscheissen sshd[11115]: Accepted > > >> password for postgres from 62.162.164.116 port 1283 ssh2 > > >> ./auth.log.0:Aug 1 03:31:04 nichtscheissen sshd[11368]: Accepted > > >> password for postgres from 62.162.164.116 port 1685 ssh2 > > >> ./auth.log.0:Aug 1 11:04:02 nichtscheissen sshd[18404]: Accepted > > >> password for postgres from 62.162.164.116 port 3262 ssh2 > > >> ./auth.log.0:Aug 1 13:41:06 nichtscheissen sshd[20845]: Accepted > > >> password for postgres from 92.55.82.121 port 64237 ssh2 > > >> > > >> The logins for me from the 216 address are kosher. Thats me from work. > > >> > > >> Its the logins for postgres that concern me. > > >> > > >> What I've done so far is changed the postgres users shell > > >> to /usr/sbin/nologin. > > >> > > >> Any ideas whats going on here? How concerned should I be about these > > >> successful logins? > > >> > > > > > > > > > _______________________________________________ > > > Fwlug mailing list > > > [email protected] > > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > > > > _______________________________________________ > Fwlug mailing list > [email protected] > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > -- ----- Jonathan Bartels
_______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
