LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-24-2003, 01:24 PM   #1
forand
Member
 
Registered: May 2002
Location: SF Bay Area
Posts: 54

Rep: Reputation: 15
Strange log entries.


Hello all,
I currently use logsentry(or whatever they named now) to parse my log files and find any "suspicious" entries. The last week I have noticed some strange log in attempts. Mainly I get something telling me that I tried to log onto my server from my computer at work(win2k machine) at a time that I was not at work. I am not aware of anything that can be used to try and use a windows machine to log onto a *nix os that could be accessed by an outsider(perhaps I am naive). Anyone have any ideas on this?

Thanks!
 
Old 03-24-2003, 02:09 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,722
Blog Entries: 54

Rep: Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968
Could you manage *posting* log entries instead of *talking* about log entries? Snort log entries? Tcpdump? FW?
 
Old 03-24-2003, 02:23 PM   #3
forand
Member
 
Registered: May 2002
Location: SF Bay Area
Posts: 54

Original Poster
Rep: Reputation: 15
I didn't bother posting the log entry because it didn't say anything useful but here it goes:
Code:
Mar 21 16:55:21 host sshd(pam_unix)[14077]: authentication failure; log
name= uid=0 euid=0 tty=NODEVssh ruser= rhost=dhcp.remote.com  user=fred
Mar 21 16:55:23 host sshd[14077]: Failed password for fred from 1.1.1.1 port 3801 ssh2
This was taken from "/var/log/auth.log". I changed the ip and rhost but they were all correct for my work system.

Last edited by forand; 03-24-2003 at 02:24 PM.
 
Old 03-24-2003, 02:34 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,722
Blog Entries: 54

Rep: Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968
Aaahhhrrrggg. Sorry.
I meant the *src* box, I mean, unless they're wiped you should be able to extract login info etc from the W2K event logs. You don't run Floke Integrity, Syslog or any Aide equiv. on W2K by any chance, right?
 
Old 03-24-2003, 03:12 PM   #5
forand
Member
 
Registered: May 2002
Location: SF Bay Area
Posts: 54

Original Poster
Rep: Reputation: 15
All I run on my win2k box is ZoneAlarm that that didn't pop up anything. As far as I know you can't run putty from a consol alone so I am clueless as to how somethinglike this could happen even if my system had been breached. I don't run any remote server protocols on the win2k box so . . . . I was logged into the win2k box when it says the attmept came but the screen was locked and in a secured room and was fine when I came in this morning. my only thought was that there was something messed with the time stamps on the linux system log but all looked correct when I scanned the log files directly. I don't mean to frustrate you I just am completely clueless in this.
 
Old 03-24-2003, 04:46 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,722
Blog Entries: 54

Rep: Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968
No, you're not frustrating me. Save a copy of your hives and the event logs just in case. Are you able to run netstat (or some of the Foundstone.com freeware tools) on it, see what ports are open? Same for processes? Are you running a scheduler? Are you able to run an antivirus scanner?

LOL, more questions than answers :-]
 
Old 03-24-2003, 05:24 PM   #7
forand
Member
 
Registered: May 2002
Location: SF Bay Area
Posts: 54

Original Poster
Rep: Reputation: 15
Not sure what "hives" are. I can't seem to find any freeware or any downloads in general on foundstone.com, it looks like netstat moved to another site that will be "re-birthed" on the 30th. No anitvirus scanner running at the current time but I haven't installed anything questionable nor clicked on anything questionable. No schedual running either. Thanks for all the help.
 
Old 03-25-2003, 04:20 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,722
Blog Entries: 54

Rep: Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968
Hives are your registry stuff, thats the NT.* name IIRC.
The Foundstone free tools like Fport are at http://www.foundstone.com/knowledge/free_tools.html, and netstat should be part of NT5.

IMO chances that something automated logging in with Putty on your server are small. Chances someone should try and spoof logging in with your username from your W2K IP are infinitesimally slim. Add the fact *you* didn't install anything or clicked anything doesn't count as 100 percent proof there ain't nothing wrong in the very automated Wintendo world I'd say. Look for instance at the fact some M$ products install a hidden SQL server, or embedded ActiveX controls in pages to automagically muck with your registry.

If your event logs turn up nothing then it'll all be much harder to find "evidence" of it all. I don't say it can't be done, but doing forensics will just take much more time than you can justify.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
strange tripwire entries schentor Linux - Security 6 11-16-2005 02:37 PM
/var/log/auth.log entries buehler Linux - Security 1 04-23-2005 05:45 PM
log entries robert1963 Linux - Security 1 03-28-2004 05:37 PM
Strange System Log entries DigiDave Linux - Newbie 5 03-22-2004 02:14 PM
Strange problem (Unmatched Entries) 2HostMe Linux - Newbie 2 01-10-2004 09:32 AM


All times are GMT -5. The time now is 05:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration