LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-17-2006, 06:27 PM   #1
el_pajaro!
Member
 
Registered: Sep 2003
Location: Ecuador
Distribution: Debian, Ubuntu, Elastix
Posts: 183

Rep: Reputation: 30
Hacked server :( and /var/log/messages


There is a server I went to check several moths ago and I found that it didn't boot. I check /var/log/messages and found out that there where a lot of people traying to access as root. But I don't know how to find out from wich ip the hackear did his job.

The log file is here: http://www.hostandino.com/log/log.xavier

That is all the info I have from that server. Well it was a red hat 9.
 
Old 04-17-2006, 06:52 PM   #2
bernied
Member
 
Registered: Mar 2006
Location: Edinburgh, UK
Distribution: debian
Posts: 304

Rep: Reputation: 30
In gentoo you'd look in /var/log/auth.log
Any help?
 
Old 04-17-2006, 06:56 PM   #3
nectron101
Member
 
Registered: Nov 2004
Distribution: SuSE 9.1 Personal
Posts: 41

Rep: Reputation: 15
Humm..

lots of trials to login with root..

I think it's some kind of brute force attacks..
 
Old 04-17-2006, 10:06 PM   #4
el_pajaro!
Member
 
Registered: Sep 2003
Location: Ecuador
Distribution: Debian, Ubuntu, Elastix
Posts: 183

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by bernied
In gentoo you'd look in /var/log/auth.log
Any help?
The problem is that I only have the /var/log/messages


Quote:
Originally Posted by nectron101
I think it's some kind of brute force attacks..
I think so, but I don't know when they had success.
 
Old 04-17-2006, 10:28 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Try running the 'last' command. If the dates don't go back far enough, point the last command at the compressed wtmp file (last -f /var/log/wtmp.1). The usual caveats about logs apply here, if someone has root they can modify log files rather easily.

Looking at your log file there are appear to be several succesfull logins, including one that is in close proximity to a number of failed attempts. Do any of those successfull logins correspond to times when the system should have been accessed?

This by itself is probably enough of a learning lesson, but the first rule of running any remote shell service is to never, ever allow root to login directly...it's too easy to bruteforce. Along those lines, are the passwords used on this system reasonably secure (random alphanumeric, etc) or were they fairly weak?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/messages keep repeating this message, am i hacked? grant-skywalker Linux - Security 3 12-10-2005 12:36 PM
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 06:39 PM
From where am i getting error messages to /var/log/messages? prabhuacsp Linux - Networking 1 02-16-2005 12:34 AM
How to log conversation between server in /var/log/messages? juris Linux - Software 1 11-23-2004 09:54 AM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 10:08 AM


All times are GMT -5. The time now is 03:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration