Ok fortunately the postgres user does have a home directory and I was able to extract the attached command history.
Working on sorting out that bots tarball it downloads. I would like to just wget that tarball, but don't want to attract attention to the network I'd be grabbing that from. On Mon, Aug 4, 2008 at 12:23 PM, Vern Ceder <[EMAIL PROTECTED]>wrote: > Then very definitely be sure you have the rootkit angle covered. > > A mac would have a /var/log/sytem.log and secure.log - haven't looked at > them much, but they might tell you what's going on. There may even be a > GUI log viewer in the control panel, I'm not sure. And that's ONLY if > you have ssh and samba turned on for that machine. > > Vern > > Jonathan Bartels wrote: > > Damn it. > > > > Given a choice I would prefer to take the longer, slightly riskier route > > of repairing rather than reinstalling. > > > > The only other machines on the network are my wifes Mac (how can I > > review logins on that?) and my throwaway laptop (will be rebuilt). > > > > What I'm expecting is that from the postgres account the user would have > > full access to anything running on postgres as well as whatever read > > access a normal user would have. The only "sensitive" operations I do on > > that machine are online banking, so I'll generate some new passwords at > > work and wipe out my keepass file at home. > > > > On Sun, Aug 3, 2008 at 10:39 PM, Rob Ludwick <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > Yeah I agree and run the root kit detector from a bootable cdrom or > usb > > key, using a known linux kernel that has not been corrupted. > > > > There are rootkits that hide the existence of themselves by loading a > > special kernel module that prevents root from seeing certain files, > > processes, and other things necessary to detect their presence. > > > > --R > > > > On Sun, 2008-08-03 at 22:09 -0400, Vern Ceder wrote: > > > Don't forget to check for a rootkit, or to be even safer, just > > resintall > > > the OS from scratch and the data from a back up. > > > > > > There is a chkrootkit and a rkhunter, I believe, that will check > for > > > rootkits. > > > > > > Vern > > > > > > Rob Ludwick wrote: > > > > Jon, > > > > > > > > 92.55.82.121 <http://92.55.82.121> is listed in Dshield.org > > database, as an attacker 3 times. > > > > Possibly from Macedonia. > > > > > > > > 62.162.164.116 <http://62.162.164.116> is in a block assigned > > to Macedonia, it appears 0 times > > > > in the Dshield.org database. > > > > > > > > Considering that both came from Macedonia, one with a hit on > > Dshield, I > > > > would say that yes. It's safe to assume you've been hacked. > > > > > > > > If you've noticed, there may have been a lot of activity on > > port 22, > > > > with a lot of rejections on the same IP within maybe within a > > span of 30 > > > > minutes. Then there's another IP address that scans the next > > day with > > > > another set of usernames and passwords. That's been pretty > > standard for > > > > about 2 or 3 years now. > > > > > > > > So I would figure out if they had any access to boxes on that > > network as > > > > well. Putting nologin in /etc/passwd is good, but they may > > have been > > > > going on for a while, and that may not be their only avenue of > > entry. > > > > > > > > And when you determine the list of boxes they had entered on > your > > > > network, reformat them and put a fresh install of software on. > > > > > > > > And if you did any banking with those boxes, it would be wise > > to change > > > > account passwords. As well as any other account you consider > > > > confidential that you accessed from those machines. > > > > > > > > --R > > > > > > > > On Sun, 2008-08-03 at 11:20 -0400, Jon wrote: > > > >> In the last few weeks I poked a hole through my router to SSH > > into my > > > >> box at home from the road. > > > >> > > > >> I was just scrounging thru the auth.log with `grep 'Accepted > > password > > > >> for' ./auth.log* | less` > > > >> > > > >> And got this: > > > >> > > > >> ./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: > Accepted > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > port 5873 ssh2 > > > >> ./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: > Accepted > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > port 4689 ssh2 > > > >> ./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: > Accepted > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > port 40752 ssh2 > > > >> ./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: > Accepted > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > port 40755 ssh2 > > > >> ./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: > Accepted > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > port 40757 ssh2 > > > >> ./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: > Accepted > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > port 43941 ssh2 > > > >> ./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: > Accepted > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > port 43942 ssh2 > > > >> ./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: > Accepted > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > port 46126 ssh2 > > > >> ./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: > Accepted > > > >> password for jon from 192.168.1.104 <http://192.168.1.104> > > port 42032 ssh2 > > > >> ./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: > Accepted > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > port 21045 ssh2 > > > >> ./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: > Accepted > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > port 21283 ssh2 > > > >> ./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: > Accepted > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > port 20307 ssh2 > > > >> ./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: > Accepted > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > port 20229 ssh2 > > > >> ./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: > Accepted > > > >> password for jon from 216.155.176.39 <http://216.155.176.39> > > port 17171 ssh2 > > > >> ./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: > Accepted > > > >> password for postgres from port 63075 ssh2 > > > >> ./auth.log.0:Aug 1 03:20:35 nichtscheissen sshd[11115]: > Accepted > > > >> password for postgres from 62.162.164.116 > > <http://62.162.164.116> port 1283 ssh2 > > > >> ./auth.log.0:Aug 1 03:31:04 nichtscheissen sshd[11368]: > Accepted > > > >> password for postgres from 62.162.164.116 > > <http://62.162.164.116> port 1685 ssh2 > > > >> ./auth.log.0:Aug 1 11:04:02 nichtscheissen sshd[18404]: > Accepted > > > >> password for postgres from 62.162.164.116 > > <http://62.162.164.116> port 3262 ssh2 > > > >> ./auth.log.0:Aug 1 13:41:06 nichtscheissen sshd[20845]: > Accepted > > > >> password for postgres from 92.55.82.121 <http://92.55.82.121> > > port 64237 ssh2 > > > >> > > > >> The logins for me from the 216 address are kosher. Thats me > > from work. > > > >> > > > >> Its the logins for postgres that concern me. > > > >> > > > >> What I've done so far is changed the postgres users shell > > > >> to /usr/sbin/nologin. > > > >> > > > >> Any ideas whats going on here? How concerned should I be about > > these > > > >> successful logins? > > > >> > > > > > > > > > > > > _______________________________________________ > > > > Fwlug mailing list > > > > [email protected] <mailto:[email protected]> > > > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > > > > > > > > _______________________________________________ > > Fwlug mailing list > > [email protected] <mailto:[email protected]> > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > > > > > > > > > -- > > ----- > > Jonathan Bartels > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Fwlug mailing list > > [email protected] > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > > -- > This time for sure! > -Bullwinkle J. Moose > ----------------------------- > Vern Ceder, Director of Technology > Canterbury School, 3210 Smith Road, Ft Wayne, IN 46804 > [EMAIL PROTECTED]; 260-436-0746; FAX: 260-436-5137 > > _______________________________________________ > Fwlug mailing list > [email protected] > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > -- ----- Jonathan Bartels
macedonians.bash_history
Description: Binary data
_______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
