LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Hacked server :( and /var/log/messages (http://www.linuxquestions.org/questions/linux-security-4/hacked-server-and-var-log-messages-436173/)

el_pajaro! 04-17-2006 06:27 PM

Hacked server :( and /var/log/messages
 
There is a server I went to check several moths ago and I found that it didn't boot. I check /var/log/messages and found out that there where a lot of people traying to access as root. But I don't know how to find out from wich ip the hackear did his job.

The log file is here: http://www.hostandino.com/log/log.xavier

That is all the info I have from that server. Well it was a red hat 9.

bernied 04-17-2006 06:52 PM

In gentoo you'd look in /var/log/auth.log
Any help?

nectron101 04-17-2006 06:56 PM

Humm..

lots of trials to login with root..

I think it's some kind of brute force attacks..

el_pajaro! 04-17-2006 10:06 PM

Quote:

Originally Posted by bernied
In gentoo you'd look in /var/log/auth.log
Any help?

The problem is that I only have the /var/log/messages :(


Quote:

Originally Posted by nectron101
I think it's some kind of brute force attacks..

I think so, but I don't know when they had success.

Capt_Caveman 04-17-2006 10:28 PM

Try running the 'last' command. If the dates don't go back far enough, point the last command at the compressed wtmp file (last -f /var/log/wtmp.1). The usual caveats about logs apply here, if someone has root they can modify log files rather easily.

Looking at your log file there are appear to be several succesfull logins, including one that is in close proximity to a number of failed attempts. Do any of those successfull logins correspond to times when the system should have been accessed?

This by itself is probably enough of a learning lesson, but the first rule of running any remote shell service is to never, ever allow root to login directly...it's too easy to bruteforce. Along those lines, are the passwords used on this system reasonably secure (random alphanumeric, etc) or were they fairly weak?


All times are GMT -5. The time now is 10:46 PM.