LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-01-2005, 10:33 PM   #1
Palula
Member
 
Registered: May 2005
Location: Brazil
Distribution: Fedore Core 3
Posts: 138

Rep: Reputation: 15
Logwatch??


Id like to know what each one of these messages regard... What happened in the DHCP session???

Did somebody try to break in? Did he/she accomplish the entrance?

Thanks all!

Code:
From root@localhost.localdomain  Fri Jul 29 23:45:10 2005
Return-Path: <root@localhost.localdomain>
Received: from localhost.localdomain (cortex [127.0.0.1])
	by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j6U2j8j2003703
	for <root@localhost.localdomain>; Fri, 29 Jul 2005 23:45:09 -0300
Received: (from root@localhost)
	by localhost.localdomain (8.13.1/8.13.1/Submit) id j6U2j87e003701
	for root; Fri, 29 Jul 2005 23:45:08 -0300
Date: Fri, 29 Jul 2005 23:45:08 -0300
From: root <root@localhost.localdomain>
Message-Id: <200507300245.j6U2j87e003701@localhost.localdomain>
To: root@localhost.localdomain
Subject: Invalid File Contexts
Status: RO

/root/install.log.syslog
/root/install.log
/lost+found
/lib/modules/2.6.9-1.667/modules.pcimap
/lib/modules/2.6.9-1.667/modules.inputmap
/lib/modules/2.6.9-1.667/modules.ieee1394map
/lib/modules/2.6.9-1.667/modules.isapnpmap
/lib/modules/2.6.9-1.667/modules.alias
/lib/modules/2.6.9-1.667/modules.dep
/lib/modules/2.6.9-1.667/modules.usbmap
/lib/modules/2.6.9-1.667/modules.symbols
/lib/modules/2.6.9-1.667/modules.ccwmap
/var/lib/dhcp/dhclient-eth0.leases
/var/log/rpmpkgs
/var/log/rpmpkgs.1
/var/run/utmp
/.autofsck
/etc/sysconfig/hwconf
/etc/blkid.tab
/etc/.pwd.lock
/etc/asound.state
/etc/resolv.conf.save
/home/lost+found

From root@localhost.localdomain  Sat Jul 30 04:02:19 2005
Return-Path: <root@localhost.localdomain>
Received: from localhost.localdomain (cortex [127.0.0.1])
	by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j6U72Idq022030
	for <root@localhost.localdomain>; Sat, 30 Jul 2005 04:02:18 -0300
Received: (from root@localhost)
	by localhost.localdomain (8.13.1/8.13.1/Submit) id j6U72I2b022028
	for root; Sat, 30 Jul 2005 04:02:18 -0300
Date: Sat, 30 Jul 2005 04:02:18 -0300
From: root <root@localhost.localdomain>
Message-Id: <200507300702.j6U72I2b022028@localhost.localdomain>
To: root@localhost.localdomain
Subject: LogWatch for cortex
Status: RO


 ################### LogWatch 5.2.2 (06/23/04) #################### 
       Processing Initiated: Sat Jul 30 04:02:16 2005
       Date Range Processed: yesterday
     Detail Level of Output: 0
          Logfiles for Host: cortex
 ################################################################ 

 --------------------- sendmail Begin ------------------------ 

Bytes Transferred: 1642
Messages Sent:     2
Total recipients:  2
 ---------------------- sendmail End ------------------------- 



------------------ Disk Space --------------------

/dev/hda1             1.5G  931M  520M  65% /
/dev/hda2             485M   11M  449M   3% /home


 ###################### LogWatch End ######################### 

From root@localhost.localdomain  Sun Jul 31 09:02:33 2005
Return-Path: <root@localhost.localdomain>
Received: from localhost.localdomain (cortex [127.0.0.1])
	by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j6VC2W0O004253
	for <root@localhost.localdomain>; Sun, 31 Jul 2005 09:02:32 -0300
Received: (from root@localhost)
	by localhost.localdomain (8.13.1/8.13.1/Submit) id j6VC2W1j004251
	for root; Sun, 31 Jul 2005 09:02:32 -0300
Date: Sun, 31 Jul 2005 09:02:32 -0300
From: root <root@localhost.localdomain>
Message-Id: <200507311202.j6VC2W1j004251@localhost.localdomain>
To: root@localhost.localdomain
Subject: LogWatch for cortex
Status: RO


 ################### LogWatch 5.2.2 (06/23/04) #################### 
       Processing Initiated: Sun Jul 31 09:02:23 2005
       Date Range Processed: yesterday
     Detail Level of Output: 0
          Logfiles for Host: cortex
 ################################################################ 

 --------------------- pam_unix Begin ------------------------ 

crond:
   Unknown Entries:
      session closed for user root: 9 Time(s)
      session opened for user root by (uid=0): 9 Time(s)

sshd:
   Authentication Failures:
      root (200.75.30.180): 93 Time(s)
      unknown (200.75.30.180): 35 Time(s)


 ---------------------- pam_unix End ------------------------- 


 --------------------- sendmail Begin ------------------------ 



Bytes Transferred: 1806
Messages Sent:     2
Total recipients:  2
 ---------------------- sendmail End ------------------------- 


 --------------------- SSHD Begin ------------------------ 


SSHD Killed: 1 Time(s)

Failed logins from these:
   root/password from ::ffff:200.75.30.180: 93 Time(s)

**Unmatched Entries**
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 60552 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 60637 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 60718 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 60801 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 60887 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 60968 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 32826 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 32908 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 32993 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33073 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33161 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33242 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33326 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33406 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33495 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33576 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33657 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33739 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33827 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33911 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 33998 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 34084 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 34165 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 34247 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 34330 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 34414 ssh2
Invalid user admin from ::ffff:200.75.30.180
Failed password for invalid user admin from ::ffff:200.75.30.180 port 34499 ssh2
Invalid user test from ::ffff:200.75.30.180
Failed password for invalid user test from ::ffff:200.75.30.180 port 34600 ssh2
Invalid user test from ::ffff:200.75.30.180
Failed password for invalid user test from ::ffff:200.75.30.180 port 34684 ssh2
Invalid user guest from ::ffff:200.75.30.180
Failed password for invalid user guest from ::ffff:200.75.30.180 port 34770 ssh2
Invalid user guest from ::ffff:200.75.30.180
Failed password for invalid user guest from ::ffff:200.75.30.180 port 34856 ssh2
Invalid user webmaster from ::ffff:200.75.30.180
Failed password for invalid user webmaster from ::ffff:200.75.30.180 port 34933 ssh2
Invalid user webmaster from ::ffff:200.75.30.180
Failed password for invalid user webmaster from ::ffff:200.75.30.180 port 35037 ssh2
Invalid user mysql from ::ffff:200.75.30.180
Failed password for invalid user mysql from ::ffff:200.75.30.180 port 35122 ssh2
Invalid user oracle from ::ffff:200.75.30.180
Failed password for invalid user oracle from ::ffff:200.75.30.180 port 35217 ssh2

 ---------------------- SSHD End ------------------------- 



------------------ Disk Space --------------------

/dev/hda1             1.5G  938M  513M  65% /
/dev/hda2             485M   11M  449M   3% /home


 ###################### LogWatch End ######################### 

From root@localhost.localdomain  Mon Aug  1 01:16:42 2005
Return-Path: <root@localhost.localdomain>
Received: from localhost.localdomain (cortex [127.0.0.1])
	by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j714GfVB003745
	for <root@localhost.localdomain>; Mon, 1 Aug 2005 01:16:41 -0300
Received: (from root@localhost)
	by localhost.localdomain (8.13.1/8.13.1/Submit) id j714GeBD003743
	for root; Mon, 1 Aug 2005 01:16:40 -0300
Date: Mon, 1 Aug 2005 01:16:40 -0300
From: root <root@localhost.localdomain>
Message-Id: <200508010416.j714GeBD003743@localhost.localdomain>
To: root@localhost.localdomain
Subject: LogWatch for cortex
Status: RO


 ################### LogWatch 5.2.2 (06/23/04) #################### 
       Processing Initiated: Mon Aug  1 01:16:20 2005
       Date Range Processed: yesterday
     Detail Level of Output: 0
          Logfiles for Host: cortex
 ################################################################ 

 --------------------- Cron Begin ------------------------ 

**Unmatched Entries**
STARTUP (V5.0)
STARTUP (V5.0)
STARTUP (V5.0)
STARTUP (V5.0)
STARTUP (V5.0)
STARTUP (V5.0)

 ---------------------- Cron End ------------------------- 


 --------------------- dhcpd Begin ------------------------ 

DHCP Server Listening On:
   LPF/eth1/00:e0:7d:cb:4d:1b/192.168.100/24: 10 Time(s)

Unknown Entries:
   If this DHCP server is authoritative for that subnet,: 3 Time(s)
   Internet Systems Consortium DHCP Server V3.0.1: 10 Time(s)
   Unable to add forward map from augusto.palula.org to 192.168.100.3: not authorized: 3 Time(s)
   Unable to add forward map from augusto.palula.org to 192.168.100.3: timed out: 6 Time(s)
   desligar dhcpd succeeded: 2 Time(s)
   in_cio de dhcpd succeeded: 4 Time(s)
   of the dhcpd.conf file.: 3 Time(s)
   please write an `authoritative;' directive either in the: 3 Time(s)
   subnet declaration - for example, write it at the top: 3 Time(s)
   subnet declaration or in some scope that encloses the: 3 Time(s)


 ---------------------- dhcpd End ------------------------- 


 --------------------- Kernel Begin ------------------------ 


WARNING:  Kernel Errors Present
   vesafb: probe of vesafb0 failed with error -6...:  6 Time(s)

 ---------------------- Kernel End ------------------------- 


 --------------------- pam_unix Begin ------------------------ 

crond:
   Unknown Entries:
      session closed for user root: 14 Time(s)
      session opened for user root by (uid=0): 14 Time(s)

login:
   Authentication Failures:
      unknown (): 2 Time(s)


 ---------------------- pam_unix End ------------------------- 


 --------------------- SSHD Begin ------------------------ 


SSHD Killed: 5 Time(s)

SSHD Started: 6 Time(s)

Failed to bind:
   0.0.0.0 port 22 (Address already in use) : 6 Time(s)

 ---------------------- SSHD End ------------------------- 



------------------ Disk Space --------------------

/dev/hda1             1.5G  936M  514M  65% /
/dev/hda2             485M   11M  449M   3% /home


 ###################### LogWatch End #########################
 
Old 08-02-2005, 03:59 PM   #2
Linux~Powered
Member
 
Registered: Jan 2004
Location: /lost+found
Distribution: Slack`er-current
Posts: 845

Rep: Reputation: 33
Someone is running an SSH brute force attack on your box. It's not uncommon. Are you using SSH? If not, shut it down. Make sure you have a strong password and you should be fine or use an RSA key. My suggestion would be to have SSH listen in on another port other than 22. That might help to thwart off script kiddies like this one. Keep an eye on your /var/log/messages, /var/log/secure, and history to see what's going on. And I'd recommend installing a rootkit, if you haven't already.
 
Old 08-02-2005, 09:14 PM   #3
Palula
Member
 
Registered: May 2005
Location: Brazil
Distribution: Fedore Core 3
Posts: 138

Original Poster
Rep: Reputation: 15
Ok. I closed the SSH port, I'm not using it yet... :-)

I'd like to know in what a brute force attack consists. Did he use just random passwords, because mine is very personal, large, it's case sensitive, it has characters and numbers. So I think it would be very difficult for him to enter my SSH port. Anyway I'd like to know if there are ways for getting the password? Because if there is he can be a step away from achieving his goal....

And the other thing is... I'd really like to understand what happened in the DHCP session of the Logwatch...
Could anyone help?

Thanks a lot. :-)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Logwatch winchester169 Linux - Security 1 10-21-2004 10:18 AM
***logwatch*** LinuxRam Linux - General 1 08-25-2004 05:09 AM
logwatch I keep getting this help please lildrummerboy Linux - Newbie 1 08-01-2004 02:57 PM
logwatch lildrummerboy Linux - Newbie 1 07-29-2004 08:38 PM
LogWatch exyst Linux - Software 0 03-13-2004 07:04 PM


All times are GMT -5. The time now is 04:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration