Hi List! I got a funny OSSEC notification from a Debian Wheeezy KVM guest I run, which I have not logged in for weeks:
OSSEC HIDS Notification. 2015 Feb 03 06:25:18 Received From: (switchprime.mydomain.com) 10.22.0.252->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user successfully logged to the system." Portion of the log(s): Feb 3 06:25:18 switchprime su[26422]: + ??? root:nobody Logging in I ran the last command: last -x root pts/0 host.mydomain Tue Feb 3 06:40 still logged in wtmp begins Tue Feb 3 06:40:14 2015 Which seem to imply that the last time a user logged in ever was right now. I tried to install rkhunter but interestingly, root@switchprime:~# apt-get install rhkunter Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package rhkunter So I shut it down. Please what else can I do if I bring it back up? What other tests can I run? Was it compromised? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
