Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-17-2006, 06:27 PM   #1
Registered: Sep 2003
Location: Ecuador
Distribution: Debian, Ubuntu, Elastix
Posts: 183

Rep: Reputation: 30
Hacked server :( and /var/log/messages

There is a server I went to check several moths ago and I found that it didn't boot. I check /var/log/messages and found out that there where a lot of people traying to access as root. But I don't know how to find out from wich ip the hackear did his job.

The log file is here:

That is all the info I have from that server. Well it was a red hat 9.
Old 04-17-2006, 06:52 PM   #2
Registered: Mar 2006
Location: Edinburgh, UK
Distribution: debian
Posts: 304

Rep: Reputation: 30
In gentoo you'd look in /var/log/auth.log
Any help?
Old 04-17-2006, 06:56 PM   #3
Registered: Nov 2004
Distribution: SuSE 9.1 Personal
Posts: 41

Rep: Reputation: 15

lots of trials to login with root..

I think it's some kind of brute force attacks..
Old 04-17-2006, 10:06 PM   #4
Registered: Sep 2003
Location: Ecuador
Distribution: Debian, Ubuntu, Elastix
Posts: 183

Original Poster
Rep: Reputation: 30
Originally Posted by bernied
In gentoo you'd look in /var/log/auth.log
Any help?
The problem is that I only have the /var/log/messages

Originally Posted by nectron101
I think it's some kind of brute force attacks..
I think so, but I don't know when they had success.
Old 04-17-2006, 10:28 PM   #5
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Try running the 'last' command. If the dates don't go back far enough, point the last command at the compressed wtmp file (last -f /var/log/wtmp.1). The usual caveats about logs apply here, if someone has root they can modify log files rather easily.

Looking at your log file there are appear to be several succesfull logins, including one that is in close proximity to a number of failed attempts. Do any of those successfull logins correspond to times when the system should have been accessed?

This by itself is probably enough of a learning lesson, but the first rule of running any remote shell service is to never, ever allow root to login's too easy to bruteforce. Along those lines, are the passwords used on this system reasonably secure (random alphanumeric, etc) or were they fairly weak?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/messages keep repeating this message, am i hacked? grant-skywalker Linux - Security 3 12-10-2005 12:36 PM
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 06:39 PM
From where am i getting error messages to /var/log/messages? prabhuacsp Linux - Networking 1 02-16-2005 12:34 AM
How to log conversation between server in /var/log/messages? juris Linux - Software 1 11-23-2004 09:54 AM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 10:08 AM

All times are GMT -5. The time now is 11:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration