Strange log entries.

forand · 03-24-2003, 12:24 PM

Hello all,
I currently use logsentry(or whatever they named now) to parse my log files and find any "suspicious" entries. The last week I have noticed some strange log in attempts. Mainly I get something telling me that I tried to log onto my server from my computer at work(win2k machine) at a time that I was not at work. I am not aware of anything that can be used to try and use a windows machine to log onto a *nix os that could be accessed by an outsider(perhaps I am naive). Anyone have any ideas on this?

Thanks!

unSpawn · 03-24-2003, 01:09 PM

Could you manage *posting* log entries instead of *talking* about log entries? Snort log entries? Tcpdump? FW?

forand · 03-24-2003, 01:23 PM

I didn't bother posting the log entry because it didn't say anything useful but here it goes:

Code:

Mar 21 16:55:21 host sshd(pam_unix)[14077]: authentication failure; log
name= uid=0 euid=0 tty=NODEVssh ruser= rhost=dhcp.remote.com  user=fred
Mar 21 16:55:23 host sshd[14077]: Failed password for fred from 1.1.1.1 port 3801 ssh2

This was taken from "/var/log/auth.log". I changed the ip and rhost but they were all correct for my work system.

unSpawn · 03-24-2003, 01:34 PM

Aaahhhrrrggg. Sorry.
I meant the *src* box, I mean, unless they're wiped you should be able to extract login info etc from the W2K event logs. You don't run Floke Integrity, Syslog or any Aide equiv. on W2K by any chance, right?

forand · 03-24-2003, 02:12 PM

All I run on my win2k box is ZoneAlarm that that didn't pop up anything. As far as I know you can't run putty from a consol alone so I am clueless as to how somethinglike this could happen even if my system had been breached. I don't run any remote server protocols on the win2k box so . . . . I was logged into the win2k box when it says the attmept came but the screen was locked and in a secured room and was fine when I came in this morning. my only thought was that there was something messed with the time stamps on the linux system log but all looked correct when I scanned the log files directly. I don't mean to frustrate you I just am completely clueless in this.

unSpawn · 03-24-2003, 03:46 PM

No, you're not frustrating me. Save a copy of your hives and the event logs just in case. Are you able to run netstat (or some of the Foundstone.com freeware tools) on it, see what ports are open? Same for processes? Are you running a scheduler? Are you able to run an antivirus scanner?

LOL, more questions than answers :-]

forand · 03-24-2003, 04:24 PM

Not sure what "hives" are. I can't seem to find any freeware or any downloads in general on foundstone.com, it looks like netstat moved to another site that will be "re-birthed" on the 30th. No anitvirus scanner running at the current time but I haven't installed anything questionable nor clicked on anything questionable. No schedual running either. Thanks for all the help.

unSpawn · 03-25-2003, 03:20 AM

Hives are your registry stuff, thats the NT.* name IIRC.
The Foundstone free tools like Fport are at http://www.foundstone.com/knowledge/free_tools.html, and netstat should be part of NT5.

IMO chances that something automated logging in with Putty on your server are small. Chances someone should try and spoof logging in with your username from your W2K IP are infinitesimally slim. Add the fact *you* didn't install anything or clicked anything doesn't count as 100 percent proof there ain't nothing wrong in the very automated Wintendo world I'd say. Look for instance at the fact some M$ products install a hidden SQL server, or embedded ActiveX controls in pages to automagically muck with your registry.

If your event logs turn up nothing then it'll all be much harder to find "evidence" of it all. I don't say it can't be done, but doing forensics will just take much more time than you can justify.