LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-10-2005, 11:55 AM   #1
grant-skywalker
Member
 
Registered: Jul 2005
Location: Jakarta / Kuala Lumpur
Distribution: Slackware, Debian, Ubuntu, Centos
Posts: 40

Rep: Reputation: 15
/var/log/messages keep repeating this message, am i hacked?


Hi,

I'm doubt when i catch my /var/log/message keeps repeating this message, am i being hacked?

Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session opened for user root by (uid=0)
Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session closed for user root
Nov 27 19:20:46 XXXXXXXX sshd(pam_unix)[19000]: session opened for user root by (uid=0)
Nov 27 19:20:46 XXXXXXXX sshd(pam_unix)[19000]: session closed for user root
Nov 27 19:20:57 XXXXXXXX sshd(pam_unix)[19125]: session opened for user root by (uid=0)
Nov 27 19:20:57 XXXXXXXX sshd(pam_unix)[19125]: session closed for user root

These messages repeat itself almost every 10 seconds or so... Anyone facing this?

regards,
Grant Skywalker
 
Old 12-10-2005, 12:12 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
First thing you should do regardless the outcome is to disallow root account user logins (PermitRootLogin No) through sshd anyway and restart sshd. Allowing root access to sshd is a bad practice! Next to that make sure you do not allow ssh access from public IP addressess/ranges other than those you really need access from.

Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session opened for user root by (uid=0)
Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session closed for user root

So it closes the session the instance it's openend? Weird. Is there any chance there's a script running?
Doesn't your log show any "Accepted (publickey|password for user" lines (grep ssh /$LOGDIR/messages) with IP info?
Does wtmp show any IP info ("last -10")? Else insert an Iptables log rule before allowing ssh access to catch IP info.

If you've got a file integrity checker like Aide, Samhain or even tripwire now would be a good time to run it (if you haven't don't bother installing: too late). Also run Chkrootkit and/or Rootkit Hunter if you have them installed just to be sure.
 
Old 12-10-2005, 12:24 PM   #3
grant-skywalker
Member
 
Registered: Jul 2005
Location: Jakarta / Kuala Lumpur
Distribution: Slackware, Debian, Ubuntu, Centos
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn
First thing you should do regardless the outcome is to disallow root account user logins (PermitRootLogin No) through sshd anyway and restart sshd. Allowing root access to sshd is a bad practice! Next to that make sure you do not allow ssh access from public IP addressess/ranges other than those you really need access from.

Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session opened for user root by (uid=0)
Nov 27 19:20:36 XXXXXXXX sshd(pam_unix)[18990]: session closed for user root

So it closes the session the instance it's openend? Weird. Is there any chance there's a script running?
Doesn't your log show any "Accepted (publickey|password for user" lines (grep ssh /$LOGDIR/messages) with IP info?
Does wtmp show any IP info ("last -10")? Else insert an Iptables log rule before allowing ssh access to catch IP info.

If you've got a file integrity checker like Aide, Samhain or even tripwire now would be a good time to run it (if you haven't don't bother installing: too late). Also run Chkrootkit and/or Rootkit Hunter if you have them installed just to be sure.
Hi,
I'm just in for a preventive maintenance for my client and found that weird messages in their recent message log.

I don't know if they have any script running at the back but i was informed that it's a backup server pair with Overland to backup their Windows servers.

Let's presume there should not be any script running at the back, am i safe to suspect something is going wrong?

Nope, they have these servers well protected and no access from outside ip. All internal access whenever possible. Even when i need to checking, i'm not allowed to check from their workstation but in front of the server.

I'm pretty sure they don't deny login sshd from root. What if they only login using root physically in front of the server, will these messages be normal? Because these messages last for hours if not days... I suspected something unlikely correct here.

Nope, there isn't any ip address shown... just repetitive on the same message.
 
Old 12-10-2005, 01:36 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
I don't know if they have any script running at the back
Who deployed this setup? Isn't there someone you could ask so you wont break stuff?


Let's presume
The last time I presumed something I SNAFU'ed in the most desastrilicious way.
I vote no against letting presumptions dictate what to do.


there should not be any script running at the back, am i safe to suspect something is going wrong?
Sure. But if it is malicious remains to be seen. It still does look more script-like than anything else. One 'cheap' way to see what commands are issued could be to change shell to rootsh and then peruse the rootsh logs. Before you do you should make certain the box is 'sane' in all other aspects. That means running a file integrity check, check logs for other anomalies and check your auth data and logs. If all fails and you are unable to extract any useful info about this proces, you can always deny root account access in sshd_config and see what breaks :-]


What if they only login using root physically in front of the server, will these messages be normal?
That's one case where it would most certainly not be normal. You would see a pam_unix message from login process.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 07:39 PM
cron 'test' message in my /var/log/messages file visaris Linux - Newbie 1 12-13-2004 05:03 PM
Trigger script by message in /var/log/messages? Zoidy Linux - Software 3 01-17-2004 01:03 AM
Odd recurring message in /var/log/messages tarballedtux Linux - General 4 05-21-2003 09:28 PM
Recurring inetd error message in /var/log/messages jkcunningham Linux - Networking 6 08-27-2002 09:00 PM


All times are GMT -5. The time now is 08:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration