Then very definitely be sure you have the rootkit angle covered. A mac would have a /var/log/sytem.log and secure.log - haven't looked at them much, but they might tell you what's going on. There may even be a GUI log viewer in the control panel, I'm not sure. And that's ONLY if you have ssh and samba turned on for that machine.
Vern Jonathan Bartels wrote: > Damn it. > > Given a choice I would prefer to take the longer, slightly riskier route > of repairing rather than reinstalling. > > The only other machines on the network are my wifes Mac (how can I > review logins on that?) and my throwaway laptop (will be rebuilt). > > What I'm expecting is that from the postgres account the user would have > full access to anything running on postgres as well as whatever read > access a normal user would have. The only "sensitive" operations I do on > that machine are online banking, so I'll generate some new passwords at > work and wipe out my keepass file at home. > > On Sun, Aug 3, 2008 at 10:39 PM, Rob Ludwick <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Yeah I agree and run the root kit detector from a bootable cdrom or usb > key, using a known linux kernel that has not been corrupted. > > There are rootkits that hide the existence of themselves by loading a > special kernel module that prevents root from seeing certain files, > processes, and other things necessary to detect their presence. > > --R > > On Sun, 2008-08-03 at 22:09 -0400, Vern Ceder wrote: > > Don't forget to check for a rootkit, or to be even safer, just > resintall > > the OS from scratch and the data from a back up. > > > > There is a chkrootkit and a rkhunter, I believe, that will check for > > rootkits. > > > > Vern > > > > Rob Ludwick wrote: > > > Jon, > > > > > > 92.55.82.121 <http://92.55.82.121> is listed in Dshield.org > database, as an attacker 3 times. > > > Possibly from Macedonia. > > > > > > 62.162.164.116 <http://62.162.164.116> is in a block assigned > to Macedonia, it appears 0 times > > > in the Dshield.org database. > > > > > > Considering that both came from Macedonia, one with a hit on > Dshield, I > > > would say that yes. It's safe to assume you've been hacked. > > > > > > If you've noticed, there may have been a lot of activity on > port 22, > > > with a lot of rejections on the same IP within maybe within a > span of 30 > > > minutes. Then there's another IP address that scans the next > day with > > > another set of usernames and passwords. That's been pretty > standard for > > > about 2 or 3 years now. > > > > > > So I would figure out if they had any access to boxes on that > network as > > > well. Putting nologin in /etc/passwd is good, but they may > have been > > > going on for a while, and that may not be their only avenue of > entry. > > > > > > And when you determine the list of boxes they had entered on your > > > network, reformat them and put a fresh install of software on. > > > > > > And if you did any banking with those boxes, it would be wise > to change > > > account passwords. As well as any other account you consider > > > confidential that you accessed from those machines. > > > > > > --R > > > > > > On Sun, 2008-08-03 at 11:20 -0400, Jon wrote: > > >> In the last few weeks I poked a hole through my router to SSH > into my > > >> box at home from the road. > > >> > > >> I was just scrounging thru the auth.log with `grep 'Accepted > password > > >> for' ./auth.log* | less` > > >> > > >> And got this: > > >> > > >> ./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: Accepted > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > port 5873 ssh2 > > >> ./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: Accepted > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > port 4689 ssh2 > > >> ./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: Accepted > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > port 40752 ssh2 > > >> ./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: Accepted > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > port 40755 ssh2 > > >> ./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: Accepted > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > port 40757 ssh2 > > >> ./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: Accepted > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > port 43941 ssh2 > > >> ./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: Accepted > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > port 43942 ssh2 > > >> ./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: Accepted > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > port 46126 ssh2 > > >> ./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: Accepted > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > port 42032 ssh2 > > >> ./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: Accepted > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > port 21045 ssh2 > > >> ./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: Accepted > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > port 21283 ssh2 > > >> ./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: Accepted > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > port 20307 ssh2 > > >> ./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: Accepted > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > port 20229 ssh2 > > >> ./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: Accepted > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > port 17171 ssh2 > > >> ./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: Accepted > > >> password for postgres from port 63075 ssh2 > > >> ./auth.log.0:Aug 1 03:20:35 nichtscheissen sshd[11115]: Accepted > > >> password for postgres from 62.162.164.116 > <http://62.162.164.116> port 1283 ssh2 > > >> ./auth.log.0:Aug 1 03:31:04 nichtscheissen sshd[11368]: Accepted > > >> password for postgres from 62.162.164.116 > <http://62.162.164.116> port 1685 ssh2 > > >> ./auth.log.0:Aug 1 11:04:02 nichtscheissen sshd[18404]: Accepted > > >> password for postgres from 62.162.164.116 > <http://62.162.164.116> port 3262 ssh2 > > >> ./auth.log.0:Aug 1 13:41:06 nichtscheissen sshd[20845]: Accepted > > >> password for postgres from 92.55.82.121 <http://92.55.82.121> > port 64237 ssh2 > > >> > > >> The logins for me from the 216 address are kosher. Thats me > from work. > > >> > > >> Its the logins for postgres that concern me. > > >> > > >> What I've done so far is changed the postgres users shell > > >> to /usr/sbin/nologin. > > >> > > >> Any ideas whats going on here? How concerned should I be about > these > > >> successful logins? > > >> > > > > > > > > > _______________________________________________ > > > Fwlug mailing list > > > [email protected] <mailto:[email protected]> > > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > > > > _______________________________________________ > Fwlug mailing list > [email protected] <mailto:[email protected]> > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > > > > -- > ----- > Jonathan Bartels > > > ------------------------------------------------------------------------ > > _______________________________________________ > Fwlug mailing list > [email protected] > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org -- This time for sure! -Bullwinkle J. Moose ----------------------------- Vern Ceder, Director of Technology Canterbury School, 3210 Smith Road, Ft Wayne, IN 46804 [EMAIL PROTECTED]; 260-436-0746; FAX: 260-436-5137 _______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
