Originally Posted by unSpawn
This may sound a bit harsh but what you believe, think, worry about, think you think or guess does not matter as you wiped all "evidence". Now some members may be in for the thrill guessing games and wild speculation bring but I prefer to base any diagnosis on cold hard facts. The only consolation you have is you're in the presence of new as well as seasoned Linux users who all fell for the "let's wipe everything and hope it'll be cool anyway" reflex.
Fist of all, no it is not a bit hash, maybe not helpful! But not hash. After all on a Linux QUESTION site not a single one of my questions was answered! If this seems a bit hash delete my account.
“what you believe, think, worry about, think you think or guess does not matter “ ~unSpawn
Actually it does! What we call “cold hard facts” comes from what we “believe” to be true about something. It is our belief, suspicions & knowledge of what we know to be true that lead to computer security in the first place. After all if no one ever questioned or believed that the system was slowing down do to mass out bound connections we never would have figured out that viruses spread machine to machine. Get my point?
“I prefer to base any diagnosis on cold hard facts.” ~unSpawn
FACT!: Internet routable IP address (first mistake)
FACT!: mass amounts of failed login attempts with invalid usernames in /var/log/btmp
FACT!: actual user account names not listed in the /var/log/btmp
FACT!: files reverting to original state of creation and not maintaining updated status.
FACT!: system up to date
FACT!: firewall and Selinux on
FACT!: only open ports https, http & ssh
FACT!: no SELinux alerts
FACT!: to copy files from a user account to /var/www/html/* one must have elevated access or more than just user permissions
“The only consolation you have is you're in the presence of new as well as seasoned Linux users” ~unSpawn
For some one who does not like games, you seem to be promoting it by basing your opinion with out “cold hard facts” of the situation. I realize your upset that the evidence was destroyed and no further research can be done ( “unfortunately I will not be able to "test" or "look" at that systems log files anymore. Sorry for that.” ~W@M). However my situation was not one of “users who all fell for the "let's wipe everything and hope it'll be cool anyway" reflex.”~unSpawn, it was my only dev box (second mistake) and I was under a deadline to produce the pages that kept getting reverted. @55uming the worst of a compromised system I understand most compromised systems result in wiping the box. True usually after review of evidence. 30 minutes up and running again vs 3 days with no answers, yes I will destroy the evidence for that kind turn around.
I expecte seasoned Linux users would have some input on what to look for in the future or suggestions on what files to look at or something other than the useless comment you made that does not even reflect any form of moderation!
“Now some members may be in for the thrill guessing games and wild speculation bring”~unSpawn
I am not here for a guessing game. Yeah, okay I could have rephrased my questions. So, let me do that now.
“Did they get in my system and I just don't know it? “
How can you tell if some one is maintaining access to your box without a current active connection?
“Were they the ones who changed my files? “
How can you tell if a user account has changed a file if you do not recall the dates of creation or modification?
“User1 & user2 did not have failed ssh attempts so were the failed entries deleted or did they not even try them since there was no lastb entry for them? “
If a cracker found an active user account and is trying to use it for access would it show in the btmp log as a failed attempt?
If that failed attempt log was deleted wouldn't that mean they have access so that they could alter the log?
“What else could have caused the files to be reverted to the originals?”
Does ssh have caching? Could it have not saved the changes to the two files I worked on last?
FACT! Not Mentioned earlier: Only the last two files worked on were reverted to the original. All other files keep updated changes.
“It's my belief that if they are trying to ssh in and keep failing to guess the right user account and password combo then in theory they did not get in. Would that be correct?”
How can you tell if a cracker used a valid user account to gain access to your system?