Hacked server :( and /var/log/messages
 

There is a server I went to check several moths ago and I found that it didn't boot. I check /var/log/messages and found out that there where a lot of people traying to access as root. But I don't know how to find out from wich ip the hackear did his job.

The log file is here: http://www.hostandino.com/log/log.xavier

That is all the info I have from that server. Well it was a red hat 9.

In gentoo you'd look in /var/log/auth.log
Any help?

Humm..

lots of trials to login with root..

I think it's some kind of brute force attacks..

The problem is that I only have the /var/log/messages :(


I think so, but I don't know when they had success.

Try running the 'last' command. If the dates don't go back far enough, point the last command at the compressed wtmp file (last -f /var/log/wtmp.1). The usual caveats about logs apply here, if someone has root they can modify log files rather easily.

Looking at your log file there are appear to be several succesfull logins, including one that is in close proximity to a number of failed attempts. Do any of those successfull logins correspond to times when the system should have been accessed?

This by itself is probably enough of a learning lesson, but the first rule of running any remote shell service is to never, ever allow root to login directly...it's too easy to bruteforce. Along those lines, are the passwords used on this system reasonably secure (random alphanumeric, etc) or were they fairly weak?