Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
04-04-2014, 05:17 AM
#1
Member
Registered: Mar 2014
Distribution: Fedora 23 - MariaDB 10.1 -
Posts: 130
Rep:
I think my Fedora server got HACKED??!!! I don't know what to do next?.
I am a linux newbie, I am completely new to linux.
I am looking at my audit.log file, I see many attempts, in the end of the line. it says 'res=success'
that to me does not look good. not a good sign when you see success?
please, can someone help me guide to the next step. what should I do next?
Code:
s=failed'
type=USER_AUTH msg=audit(1396578042.454:9684): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578042.454:9685): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578042.454:9686): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6278 suid=74 rport=54072 laddr=192.168.1.15 lport=22 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578042.454:9687): pid=6277 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6278 suid=74 rport=54072 laddr=192.168.1.15 lport=22 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578042.455:9688): pid=6277 uid=0 auid=4294967295 res=success'
type=CRYPTO_SESSION msg=audit(1396578043.710:9693): pid=6279 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6280 suid=74 rport=54576 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578043.711:9694): pid=6279 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6280 suid=74 rport=54576 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578044.997:9695): pid=6279 uid=0 auid=4294967295 ses=4294967295 mssr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578047.733:9704): pid=6282 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6282 suid=0 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578047.733:9705): pid=6282 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6282 suid=0 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578048.024:9706): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578048.024:9707): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578049.305:9708): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9709): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=221.194.57.246 addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9710): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578051.698:9711): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578051.698:9712): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.698:9713): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.699:9714): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6281 suid=0 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578051.699:9715): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6281 suid=0 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578051.699:9716): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578052.576:9717): pid=6284 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=02:78:bc:a5:90:96:f8:4d:cb:b3:c9:48:75:81:a9:12 direction=? spid=6284 suid=0 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578052.576:9718): pid=6284 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b0:17:07:3a:7b:34:40:14:e9:da:c2:9f:62:e5:d3:01 direction=? spid=6284 suid=0 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578052.872:9719): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1396578052.872:9720): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-cbc ksize=128 mac=hmac-sha1 spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=USER_LOGIN msg=audit(1396578054.173:9721): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9722): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="?" exe="/usr/sbin/sshd" hostname=221.194.57.246 addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9723): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1396578056.254:9724): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=maxtries exceeded acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1396578056.254:9725): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport=22 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1396578056.254:9726): pid=6283 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6284 suid=74 rport=55710 laddr=192.168.1.15 lport=22 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? d'
04-04-2014, 05:22 AM
#2
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
I don't see any USER_LOGIN or USER_AUTH with success results.. So, I don't think you got hacked..
04-04-2014, 05:35 AM
#3
Member
Registered: Mar 2014
Distribution: Fedora 23 - MariaDB 10.1 -
Posts: 130
Original Poster
Rep:
Quote:
Originally Posted by
Smokey_justme
I don't see any USER_LOGIN or USER_AUTH with success results.. So, I don't think you got hacked..
thanks for replying. This IP address is coming from CHINA 221.194.57.246.
Code:
type=CRYPTO_KEY_USER msg=audit(1396578051.698:9712): pid=6281 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=6282 suid=74 rport=55111 laddr=192.168.1.15 lport=22 exe="/usr/sbin/sshd" hostname=? addr=221.194.57.246 terminal=? res=success'
what does this res=success means?
04-04-2014, 05:44 AM
#4
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
Look at the message.. It destroy's the SSH session (successfully)
Yes, a lot of IPs from SSH bots come from China.. I recommend looking into
Fail2Ban ,
sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...
04-07-2014, 03:26 PM
#5
Member
Registered: Jun 2001
Distribution: Gentoo
Posts: 153
Rep:
Quote:
Originally Posted by
Smokey_justme
Look at the message.. It destroy's the SSH session (successfully)
Yes, a lot of IPs from SSH bots come from China.. I recommend looking into
Fail2Ban ,
sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...
You can also use denyhosts which is the package I use to quickly ban an IP address after 3 times of failed password attempts. Works well.
04-07-2014, 04:07 PM
#6
LQ Muse
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,621
also if you are not using the option
DISABLE remote login
root remote login might already be blocked( default setting , desktop install) but not a normal user
04-07-2014, 04:40 PM
#7
Moderator
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Quote:
Originally Posted by
Smokey_justme
I recommend looking into
Fail2Ban ,
sshguard or something of the sorts so that you can limit and ban the IPs of these type of attacks...
Additionally, you should disable root-login and, if possible, use key-based authentication instead of passwords.
All times are GMT -5. The time now is 11:57 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News