Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-17-2006, 06:27 PM
|
#1
|
|
Member
Registered: Sep 2003
Location: Ecuador
Distribution: Debian, Ubuntu, Elastix
Posts: 183
Rep: 
|
Hacked server :( and /var/log/messages
There is a server I went to check several moths ago and I found that it didn't boot. I check /var/log/messages and found out that there where a lot of people traying to access as root. But I don't know how to find out from wich ip the hackear did his job.
The log file is here: http://www.hostandino.com/log/log.xavier
That is all the info I have from that server. Well it was a red hat 9. |
|
|
|
|
04-17-2006, 06:52 PM
|
#2
|
|
Member
Registered: Mar 2006
Location: Edinburgh, UK
Distribution: debian
Posts: 304
Rep:
|
In gentoo you'd look in /var/log/auth.log
Any help?
|
|
|
|
|
04-17-2006, 06:56 PM
|
#3
|
|
Member
Registered: Nov 2004
Distribution: SuSE 9.1 Personal
Posts: 41
Rep:
|
Humm..
lots of trials to login with root..
I think it's some kind of brute force attacks..
|
|
|
|
|
04-17-2006, 10:06 PM
|
#4
|
|
Member
Registered: Sep 2003
Location: Ecuador
Distribution: Debian, Ubuntu, Elastix
Posts: 183
Original Poster
Rep:
|
Quote:
|
Originally Posted by bernied
In gentoo you'd look in /var/log/auth.log
Any help?
|
The problem is that I only have the /var/log/messages 
Quote:
|
Originally Posted by nectron101
I think it's some kind of brute force attacks..
|
I think so, but I don't know when they had success. |
|
|
|
|
04-17-2006, 10:28 PM
|
#5
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Try running the 'last' command. If the dates don't go back far enough, point the last command at the compressed wtmp file (last -f /var/log/wtmp.1). The usual caveats about logs apply here, if someone has root they can modify log files rather easily.
Looking at your log file there are appear to be several succesfull logins, including one that is in close proximity to a number of failed attempts. Do any of those successfull logins correspond to times when the system should have been accessed?
This by itself is probably enough of a learning lesson, but the first rule of running any remote shell service is to never, ever allow root to login directly...it's too easy to bruteforce. Along those lines, are the passwords used on this system reasonably secure (random alphanumeric, etc) or were they fairly weak?
|
|
|
|
All times are GMT -5. The time now is 07:07 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
