URN Logo
UNIX Resources » Linux » Linux Forum » Linux Security » Page.4 » Is My Machine Cracked?
The content of this page is collected from Linux Forum, All copyrights and other associated rights are reserved by the original authors of the articles.
Resources
China Linux Forum(finished)
Linux Forum(finished)
FreeBSD China(finished)
linuxforum.com
  LinuxForum General Chat
  Linux Advocacy
  LinuxForum Polls
  Introductions
  Linux Kernel Support
  Patch Management
  Development Release
  Linux Programming
  Linux Security
  Linux Software
  Linux Hardware Problems
    Linux Video Problems
    Linux Sound Problems
  Linux Networking Support
  Linux Printing Support
  Linux Human Interface Devices Support
  Linux Data Storage Support
  Linux Applications Support
  Linux Installation Support
  Linux Laptops Support
  Linux Motherboard, Chipsets, CPU, Memory
  Miscellaneous
  Debian Linux Support
  Ubuntu Linux Support
  LiveCD Discussions
  Gentoo Linux Support
  Mandrake Linux Support
  Redhat / Fedora Linux Support
  Slackware Linux Support
  SuSE Linux Support
  CentOS Linux Support
  Linux Web Servers
  Linux DNS Servers
  Linux Database Servers
  Linux Email Servers
  Linux FTP Servers
  Linux Squid Proxy Server
  Linux Samba Help
  Linux cPanel Help
  Linux Ensim Help
  Linux Plesk Help
  Linux Webmin / Usermin Help
  Qmail Toaster Help
  Linux Games
  Windows Game Emulation
  Linux Discussions
  General Linux Discussions
  Red Hat Linux Discussions
  More Red Hat Linux Discussions
  Mandrake Linux Discussions
  Slackware Linux Discussions
  SuSE Linux Discussions
  Debian Discussions
  Samba Help
  Linux Security
  Linux Networking
  Gentoo Help
  Operating System Rant Forum
  Hardware Rants
   
Is My Machine Cracked?
Subject: Is My Machine Cracked?
Author: maxniki    Posted: 2005-11-09 04:18:56    Length: 751 byte(s)
[Original] [Print] [Top]
Hi,

I have a redhat9 server. To do some remote admin there is a ssh server running on port 22. When I log in remotely with a ssh client as root, I can see when I last logged in as root on the machine.

Sometimes I see that the last login was on a time that it wasn't me and also from an unknown machine. It looks like a login from a machine in the aol.com domain. Does this mean that somebody else knows how to login as root on my machine or is it just a message of no importance.

I use a strong root password and I have also changed it twice. I'm the only one who knows the password. To be on the save side, I closed the ports. I also use webmin on port 10000. Is webmin not safe?

Marco
 
[Original] [Print] [Top]
Subject: Is My Machine Cracked?
Author: x86processor    Posted: 2005-11-09 06:24:37    Length: 42 byte(s)
[Original] [Print] [Top]
Can you post the suspicious log messages?
----
Linux is the kernel. The entire system is called GNU/Linux.
http://www.gnu.org/gnu/linux-and-gnu.html

My domain: shakthimaan.com (Offline)
orkut ID: shakthimaan
IRC nick: mbuf
[Original] [Print] [Top]
Subject: Is My Machine Cracked?
Author: maxniki    Posted: 2005-11-09 07:47:36    Length: 334 byte(s)
[Original] [Print] [Top]
Hi,

I haven't saved the message. I will have a look tonight if I can find it somewhere in the logfiles. It is something like

login as: root
passwd: ******

last login at nov 1, 23.00 from xxxx.yyy.aol.com
# _

And I was not the one that logged in at that time.

Marco
[Original] [Print] [Top]
Subject: Is My Machine Cracked?
Author: foobar47    Posted: 2005-11-09 08:57:58    Length: 164 byte(s)
[Original] [Print] [Top]
Did anybody know the root password in you IT ?

Change the ssh port, don't let 22...

Looks at the entire log file and paste here please...
----
Linux is like sex, it's better when it's free...
My WebPage
[Original] [Print] [Top]
Subject: Is My Machine Cracked?
Author: maxniki    Posted: 2005-11-09 15:08:06    Length: 3,110 byte(s)
[Original] [Print] [Top]
Noboby else knows the root password.

Here are some interesting fragments from /var/log/secure. The file is pretty large. To large to post entirely. It are all ip-numbers, attempts en names that I don't know. So, it looks pretty much that someone is breaking in and also succeeded at nov 4 at 01.00.20. There are hundreds and hundreds of those lines

But how do they manage to succeed and what is wrong with my security.



Oct 31 02:55:10 boca sshd[1613]: Illegal user zephyr from 220.125.208.162
Oct 31 02:55:13 boca sshd[1615]: Illegal user admin from 220.125.208.162
Oct 31 02:55:16 boca sshd[1617]: Illegal user ziggy from 220.125.208.162
Oct 31 02:55:19 boca sshd[1620]: Illegal user admin from 220.125.208.162
Oct 31 02:55:21 boca sshd[1622]: Illegal user admin from 220.125.208.162
Oct 31 02:55:27 boca sshd[1625]: Failed password for root from 220.125.208.162 port 38988 ssh2
Oct 31 02:55:32 boca sshd[1627]: Failed password for root from 220.125.208.162 port 39492 ssh2
Oct 31 02:55:34 boca sshd[1629]: Illegal user admin from 220.125.208.162
Oct 31 02:55:37 boca sshd[1631]: Illegal user admin from 220.125.208.162
Oct 31 02:55:42 boca sshd[1633]: Failed password for root from 220.125.208.162 port 40481 ssh2
Oct 31 02:55:45 boca sshd[1635]: Illegal user admin from 220.125.208.162
Oct 31 02:55:48 boca sshd[1637]: Illegal user alaska from 220.125.208.162

Nov  4 01:00:16 boca sshd[10273]: Failed password for dub1osu from 172.178.107.89 port 1128 ssh2
Nov  4 01:00:16 boca sshd[10273]: Failed password for dub1osu from 172.178.107.89 port 1128 ssh2
Nov  4 01:00:20 boca sshd[10273]: Accepted password for dub1osu from 172.178.107.89 port 1128 ssh2

Nov  6 15:16:21 boca sshd[30871]: Failed password for root from 61.144.56.34 port 41118 ssh2
Nov  6 15:16:34 boca sshd[30873]: Failed password for root from 61.144.56.34 port 41260 ssh2
Nov  7 22:48:20 boca sshd[1474]: Did not receive identification string from 194.108.146.89
Nov  7 22:53:17 boca sshd[1482]: Illegal user test from 194.108.146.89
Nov  7 22:53:18 boca sshd[1484]: Illegal user test from 194.108.146.89
Nov  7 22:53:18 boca sshd[1486]: Illegal user test from 194.108.146.89
Nov  7 22:53:18 boca sshd[1488]: Illegal user test from 194.108.146.89
Nov  7 22:53:19 boca sshd[1490]: Illegal user test from 194.108.146.89
Nov  8 20:49:55 boca sshd[3941]: Illegal user bonar from 83.175.213.242
Nov  8 20:49:55 boca sshd[3943]: Illegal user bonnar from 83.175.213.242
Nov  8 20:49:56 boca sshd[3945]: Illegal user burel from 83.175.213.242
Nov  8 20:49:57 boca sshd[3947]: Illegal user burgundy from 83.175.213.242
Nov  8 20:49:58 boca sshd[3949]: Illegal user calanthe from 83.175.213.242
Nov  8 20:49:59 boca sshd[3951]: Illegal user camile from 83.175.213.242
Nov  8 20:50:00 boca sshd[3953]: Illegal user camillei from 83.175.213.242
 
[Original] [Print] [Top]
Subject: Is My Machine Cracked?
Author: caveman    Posted: 2005-11-12 01:47:24    Length: 1,064 byte(s)
[Original] [Print] [Top]
Looks like someone has been trying to brute force your account.
I get around 100 of those an hour on my server.

You must have had a week password on your system. So here is what I recommend.
Totally wipe your current system, take it off line and format it.
Reinstall but don't put redhat 9 back on its very old. Maybe try fedora.

When you have installed everything install my firewall script (look in the networking section of tutorials  .

Then edit your sshd config file and disable root logins via SSH, you can login as you user than then SU.

NOW MOST IMPORTANT, don't use a week password like you did in the past. Your password should be 8 letters minimum and DONT use a dictionary word. somthing like 5[thuswqd245/223 would be a really secure password, but hard to remember. So find a nice combo in there

Caveman
----
Technology, The Outdoors and Adventures Through a Technocrats Eyes
http://www.commscentral.net

[Original] [Print] [Top]
« Previous thread
Forgot Linux Password
Linux Security
Page. 4
Next thread »
Packet Sniffing.
     

Copyright © 2018 UNIX Resources Network, All Rights Reserved.    About URN | Privacy & Legal | Help | Contact us