LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   I think my Fedora server got HACKED??!!! I don't know what to do next?. (https://www.linuxquestions.org/questions/linux-newbie-8/i-think-my-fedora-server-got-hacked-i-don%27t-know-what-to-do-next-4175500554/)

cyberdome 04-04-2014 05:17 AM

I think my Fedora server got HACKED??!!! I don't know what to do next?.
 
I am a linux newbie, I am completely new to linux.

I am looking at my audit.log file, I see many attempts, in the end of the line. it says 'res=success'

that to me does not look good. not a good sign when you see success?

please, can someone help me guide to the next step. what should I do next?


Code:

s=failed'

type=USER_AUTH msg=audit(1396578042.454:9684): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578042.454:9685): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578042.454:9686): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6278 suid=74 rport=54072 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578042.454:9687): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6278 suid=74 rport=54072 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578042.455:9688): pid=6277 uid=0 auid=4294967295 res=success'
type=CRYPTO_SESSION msg=audit(1396578043.710:9693): pid=6279 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6280 suid=74 rport=54576 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578043.711:9694): pid=6279 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6280 suid=74 rport=54576 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578044.997:9695): pid=6279 uid=0 auid=4294967295 ses=4294967295 mssr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578047.733:9704): pid=6282 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6282 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578047.733:9705): pid=6282 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6282 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578048.024:9706): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578048.024:9707): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578049.305:9708): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9709): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=221.194.57.246 addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9710): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9711): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578051.698:9712): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.698:9713): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.699:9714): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6281 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.699:9715): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6281 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578051.699:9716): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578052.576:9717): pid=6284 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6284 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578052.576:9718): pid=6284 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6284 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578052.872:9719): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578052.872:9720): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578054.173:9721): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9722): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=221.194.57.246 addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9723): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9724): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578056.254:9725): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578056.254:9726): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? d'


Smokey_justme 04-04-2014 05:22 AM

I don't see any USER_LOGIN or USER_AUTH with success results.. So, I don't think you got hacked..

cyberdome 04-04-2014 05:35 AM

Quote:

Originally Posted by Smokey_justme (Post 5146458)
I don't see any USER_LOGIN or USER_AUTH with success results.. So, I don't think you got hacked..

thanks for replying. This IP address is coming from CHINA 221.194.57.246.


Code:

type=CRYPTO_KEY_USER msg=audit(1396578051.698:9712): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
what does this res=success means?

Smokey_justme 04-04-2014 05:44 AM

Look at the message.. It destroy's the SSH session (successfully)

Yes, a lot of IPs from SSH bots come from China.. I recommend looking into Fail2Ban, sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...

cizzi 04-07-2014 03:26 PM

Quote:

Originally Posted by Smokey_justme (Post 5146466)
Look at the message.. It destroy's the SSH session (successfully)

Yes, a lot of IPs from SSH bots come from China.. I recommend looking into Fail2Ban, sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...

You can also use denyhosts which is the package I use to quickly ban an IP address after 3 times of failed password attempts. Works well.

John VV 04-07-2014 04:07 PM

also if you are not using the option
DISABLE remote login

root remote login might already be blocked( default setting , desktop install) but not a normal user

TobiSGD 04-07-2014 04:40 PM

Quote:

Originally Posted by Smokey_justme (Post 5146466)
I recommend looking into Fail2Ban, sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...

Additionally, you should disable root-login and, if possible, use key-based authentication instead of passwords.


All times are GMT -5. The time now is 01:07 AM.