LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-26-2012, 04:45 AM   #1
ratatata
LQ Newbie
 
Registered: Jul 2012
Posts: 4

Rep: Reputation: Disabled
Problem with register loggins


Hi all,

I had a security problem and all access logs is not login since 24/02/2012 (First security problem)

/var/log/messages
/var/log/secure.log
/var/log/wtmp
/var/log/utmp

I can not execute: last, who, w, ANYTHING.Also, I can not change the permissions:

ll -lrth wtmp
-rw------- 1 root root 0 Feb 24 11:11 wtmp

chown root:utmp wtmp
chown: changing ownership of `wtmp': Operation not permitted


Any ideas???

Thanks
Regards


Code:

/etc/syslog.conf

# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# logrotate
cat /etc/logrotate.d/syslog 
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
    compress
}
Any help please?
 
Old 07-26-2012, 01:01 PM   #2
whizzit
Member
 
Registered: Aug 2004
Location: UK
Distribution: Gentoo, OpenBSD, Debian, FreeBSD, RHEL, CentOS
Posts: 65

Rep: Reputation: 24
So somebody else has potentially had unrestricted access to your installation for 4 months or more??

Do you know what services have been running that might have been compromised in order for someone to gain access? This is the only thing worth knowing from your current situation so that the break-in might be prevented in the future. If you have physical control over the server, and the inclination, then you could boot up with a Live CD/DVD and try scanning for rootkits to see how bad things might be ( for example: http://www.rootkit.nl/projects/rootkit_hunter.html - but I've never used this ).

Are any of the other logs being written to; like /var/log/messages? Can you write to any other file or create new files on the /var partition? Is /var mounted read-only? And you don't say what OS and version you're running...

wtmp is 0 bytes long so commands last, who and w etc. aren't likely to return anything useful.

Otherwise, if you are sure of security breach, you can't trust any commands on that system. Repairing it is going to be a waste of time with no guarantee of 100% success.
 
Old 07-30-2012, 02:36 AM   #3
ratatata
LQ Newbie
 
Registered: Jul 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi, Thanks for replay.

/var mountpoint is mounted and you can write. for example, lastb command is working, but last is not...
Also, We created a .htaccess in order to get some more restrictions.

I don't why, but some logs are not registering and u can not change the users, mode or the groups

Thanks

Last edited by ratatata; 07-30-2012 at 05:47 AM.
 
Old 07-30-2012, 11:26 AM   #4
ratatata
LQ Newbie
 
Registered: Jul 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi,

I got a solution. The problem, was that the hacker, modified the attributes of the files.

Quote:
----i-------- /var/log/messages
----i-------- /var/log/maillog
----i-------- /var/log/wtmp
Then, I changed and it is solv

Thanks so much!
 
Old 07-30-2012, 05:15 PM   #5
whizzit
Member
 
Registered: Aug 2004
Location: UK
Distribution: Gentoo, OpenBSD, Debian, FreeBSD, RHEL, CentOS
Posts: 65

Rep: Reputation: 24
Exclamation Your system cannot be considered safe

Hi ratatata,

From chattr(1):

Code:
       A  file with the `i' attribute cannot be modified: it cannot be deleted
       or renamed, no link can be created to this file  and  no  data  can  be
       written  to  the  file.  Only the superuser or a process possessing the
       CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
So you have cured a symptom but not the cause...

Most likely is that someone as root changed the attributes on those files. Which means that they probably still have root access to your system!

** I strongly advise that you backup any important personal data ( no system files, other than configs for reference only ) that you might want to keep and re-install the operating system; closely followed by its latest security patches. **
 
Old 07-31-2012, 10:09 AM   #6
ratatata
LQ Newbie
 
Registered: Jul 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi!

Thanks very much! Now the system is safe.

Before to find this problem, We found an user create into /etc/passwd with permissions to ALL in sudoers. Now we close the 22 port to everyone. Aslo we clean any suspicuos file like /etc/passwd /etc/group /etc/sudoers... etc etc.

Thanks very much for your help!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
looking for Open-Source Asset Register Software, IT Equipment and Register Database boninebm Linux - Software 1 09-13-2011 04:56 AM
problem in accessing register for at91rm9200 goelmanila Linux - Hardware 0 06-26-2008 03:24 AM
Register Globals problem vnb400 Linux - Newbie 1 04-28-2006 09:51 AM
command/prompt loggins belorion Linux - General 2 06-28-2004 10:11 AM
up2date register problem B McHack Red Hat 6 11-04-2003 01:29 AM


All times are GMT -5. The time now is 03:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration