LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-04-2014, 05:17 AM   #1
cyberdome
Member
 
Registered: Mar 2014
Distribution: Fedora 23 - MariaDB 10.1 -
Posts: 130
Blog Entries: 2

Rep: Reputation: 8
I think my Fedora server got HACKED??!!! I don't know what to do next?.


I am a linux newbie, I am completely new to linux.

I am looking at my audit.log file, I see many attempts, in the end of the line. it says 'res=success'

that to me does not look good. not a good sign when you see success?

please, can someone help me guide to the next step. what should I do next?


Code:
s=failed'

type=USER_AUTH msg=audit(1396578042.454:9684): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578042.454:9685): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578042.454:9686): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6278 suid=74 rport=54072 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578042.454:9687): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6278 suid=74 rport=54072 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578042.455:9688): pid=6277 uid=0 auid=4294967295 res=success'
type=CRYPTO_SESSION msg=audit(1396578043.710:9693): pid=6279 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6280 suid=74 rport=54576 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578043.711:9694): pid=6279 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6280 suid=74 rport=54576 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578044.997:9695): pid=6279 uid=0 auid=4294967295 ses=4294967295 mssr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578047.733:9704): pid=6282 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6282 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578047.733:9705): pid=6282 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6282 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578048.024:9706): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578048.024:9707): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578049.305:9708): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9709): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=221.194.57.246 addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9710): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9711): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578051.698:9712): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.698:9713): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.699:9714): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6281 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.699:9715): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6281 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578051.699:9716): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578052.576:9717): pid=6284 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6284 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578052.576:9718): pid=6284 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6284 suid=0  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578052.872:9719): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578052.872:9720): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578054.173:9721): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9722): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=221.194.57.246 addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9723): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9724): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578056.254:9725): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578056.254:9726): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? d'
 
Old 04-04-2014, 05:22 AM   #2
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
I don't see any USER_LOGIN or USER_AUTH with success results.. So, I don't think you got hacked..
 
Old 04-04-2014, 05:35 AM   #3
cyberdome
Member
 
Registered: Mar 2014
Distribution: Fedora 23 - MariaDB 10.1 -
Posts: 130

Original Poster
Blog Entries: 2

Rep: Reputation: 8
Quote:
Originally Posted by Smokey_justme View Post
I don't see any USER_LOGIN or USER_AUTH with success results.. So, I don't think you got hacked..
thanks for replying. This IP address is coming from CHINA 221.194.57.246.


Code:
 type=CRYPTO_KEY_USER msg=audit(1396578051.698:9712): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22  exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
what does this res=success means?
 
Old 04-04-2014, 05:44 AM   #4
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Look at the message.. It destroy's the SSH session (successfully)

Yes, a lot of IPs from SSH bots come from China.. I recommend looking into Fail2Ban, sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...
 
Old 04-07-2014, 03:26 PM   #5
cizzi
Member
 
Registered: Jun 2001
Distribution: Gentoo
Posts: 153

Rep: Reputation: 19
Quote:
Originally Posted by Smokey_justme View Post
Look at the message.. It destroy's the SSH session (successfully)

Yes, a lot of IPs from SSH bots come from China.. I recommend looking into Fail2Ban, sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...
You can also use denyhosts which is the package I use to quickly ban an IP address after 3 times of failed password attempts. Works well.
 
Old 04-07-2014, 04:07 PM   #6
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,621

Rep: Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651
also if you are not using the option
DISABLE remote login

root remote login might already be blocked( default setting , desktop install) but not a normal user
 
Old 04-07-2014, 04:40 PM   #7
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886
Quote:
Originally Posted by Smokey_justme View Post
I recommend looking into Fail2Ban, sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...
Additionally, you should disable root-login and, if possible, use key-based authentication instead of passwords.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Why don't google web servers ever get hacked? Ulysses_ Linux - Security 20 11-06-2012 04:21 PM
LXer: Fedora Hacked? LXer Syndicated Linux News 0 01-25-2011 06:00 PM
I want Fedora 9, but I don't want X-Server sheps126 Linux - Server 4 01-14-2009 12:05 AM
Is my fedora box hacked? neothephoenix Linux - Desktop 11 04-01-2008 01:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration