LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 04-25-2005, 05:10 PM   #1
buehler
LQ Newbie
 
Registered: Apr 2001
Location: Chicago
Distribution: Mandrake 10.0
Posts: 24

Rep: Reputation: 15
suspicious entry in /var/log/auth.log


i found this entry in my /var/log/auth.log file:

Apr 19 16:27:51 mymachine kde3(pam_unix)[4025]: session opened for user cosmin by (uid=0)
Apr 19 16:28:01 mymachine xinetd[1761]: START: sgi_fam pid=4465 from=<no address>
Apr 19 16:28:10 mymachine sshd(pam_unix)[4480]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:12 mymachine sshd[4480]: Failed password for root from ::ffff:64.14.48.137 port 60972 ssh2
Apr 19 16:28:14 mymachine sshd(pam_unix)[4488]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:16 mymachine sshd[4488]: Failed password for root from ::ffff:64.14.48.137 port 32796 ssh2
Apr 19 16:28:24 mymachine sshd(pam_unix)[4518]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:26 mymachine sshd[4518]: Failed password for root from ::ffff:64.14.48.137 port 32889 ssh2
Apr 19 16:28:27 mymachine sshd(pam_unix)[4522]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:29 mymachine sshd[4522]: Failed password for root from ::ffff:64.14.48.137 port 33084 ssh2
Apr 19 16:28:30 mymachine sshd(pam_unix)[4524]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:32 mymachine sshd[4524]: Failed password for root from ::ffff:64.14.48.137 port 33132 ssh2
Apr 19 16:28:33 mymachine sshd(pam_unix)[4526]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:35 mymachine sshd[4526]: Failed password for root from ::ffff:64.14.48.137 port 33176 ssh2
Apr 19 16:28:36 mymachine sshd(pam_unix)[4528]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:38 mymachine sshd[4528]: Failed password for root from ::ffff:64.14.48.137 port 33234 ssh2
Apr 19 16:28:39 mymachine sshd(pam_unix)[4530]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=relay-0-6.freelotto.com user=root
Apr 19 16:28:41 mymachine sshd[4530]: Failed password for root from ::ffff:64.14.48.137 port 33285 ssh2
Apr 19 17:15:00 mymachine kde3(pam_unix)[4025]: session closed for user cosmin

does this mean that user 'cosmin' logged in and then tried to become root (unsuccessfully) several times?
 
Old 04-25-2005, 05:15 PM   #2
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Re: suspicious entry in /var/log/auth.log

Quote:
Originally posted by buehler
does this mean that user 'cosmin' logged in and then tried to become root (unsuccessfully) several times?
Only if the user's IP address was 64.14.48.137. Looks more like the SSH Bruteforce attack (read the sticky thread in this forum).
 
Old 04-25-2005, 05:17 PM   #3
buehler
LQ Newbie
 
Registered: Apr 2001
Location: Chicago
Distribution: Mandrake 10.0
Posts: 24

Original Poster
Rep: Reputation: 15
could he have logged in and then used 64.14.48.137 to get into my machine as root?
is there a way to check that?
 
Old 04-25-2005, 10:32 PM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 3,988

Rep: Reputation: 261Reputation: 261Reputation: 261
Note that the cosmin log entry was generated by kde and also pay attention to the text "session opened for user cosmin by (uid=0)". This means UID 0 (i.e. root) opened a session as cosmin. This is probably part of some sort of scheduled task. I don't use KDE much, nor do I know what the cosmin user is supposed to be running on your machine, so I can't say much more.

The root logins are all failures, if you'll note, and come from sshd. They look just like the brute force attacks mentioned in the sticky thread. Oh, one other thing, you might consider disabling sgi_fam (line 2) unless you need it for something. It has had vulnerabilities in the past.
 
Old 04-27-2005, 07:26 AM   #5
johnnydangerous
Member
 
Registered: Jan 2005
Location: Sofia, Bulgaria
Distribution: Fedora Core 4 Rawhide
Posts: 431

Rep: Reputation: 30
what is sgi_fam pls any kind of description will be appreciated I'm not sure if it's up & running on my system

and for the bruteforce consider entirely disabling root access through sshd which is set by /etc/ssh/sshd_config allowrootlogin no (or similar)\
you can do su after you log as normal user. also set in sshd config users who are allowed to connect all other will be in log as invalid user or similar..
also pam_tally is a good thing to make it drop after 5 failed attempts lets say for 5minutes

also good thing is to change the port and apply rsa keys there is no other way known to me to protect your world listening shell
 
Old 04-27-2005, 05:11 PM   #6
damicatz
Member
 
Registered: May 2004
Distribution: FreeBSD 7, Debian "Squeeze", OpenBSD 4.5
Posts: 167

Rep: Reputation: 30
Quote:
Originally posted by johnnydangerous
what is sgi_fam pls any kind of description will be appreciated I'm not sure if it's up & running on my system
http://oss.sgi.com/projects/fam/faq.html#what_is_fam
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/auth.log entries buehler Linux - Security 1 04-23-2005 04:45 PM
weird stuff in /var/log/auth.log bschiett Linux - Security 3 03-12-2005 08:29 AM
Deleted /var/log/messages, can't log any files-iptables chingyenccy Linux - Newbie 7 02-27-2005 04:03 PM
pppd logging to /var/log/ppp.log problem mrtwice Linux - Software 1 01-10-2004 05:38 PM
suspicious port and last log entry sopiaz57 Linux - Security 3 06-08-2003 06:48 PM


All times are GMT -5. The time now is 06:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration