Help check atack
Hi,
By issuing a command on my redhat server this morning witch is : more /var/spool/mail/root | grep root:password i've got the following result : DUP root:password:12.30.179.28 DUP root:password:12.30.179.28 DUP root:password:12.30.179.28 DUP root:password:12.30.179.28 DUP root:password:12.30.179.28 .... Thus, i wonder if it's an attack, and if yes, how can check if the attack has succeeded or not ? Thanks |
The only times I see those lines is when SSH scanners are used, often output will be a plain text file named "vuln.txt". The fact that it shows up in root mail may or may not be telling: best read and at on the information in the CERT Intruder Detection Checklist, scan the machine for foreign processes and binaries and your logs for anomalies (use Logwatch?).
|
Examine your system & service log files.
In my debian box, I always check my systemlog file at : /var/log/syslogs and /var/log/messages and service log file, e.g for SSH service : /var/log/auth.log and find something wrong there. U must understand that Log file is very2 important file to examine. |
All times are GMT -5. The time now is 02:30 PM. |