LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-06-2006, 07:00 PM   #1
RichM
LQ Newbie
 
Registered: Feb 2006
Posts: 6

Rep: Reputation: 0
Strange root login


Hi,

I got an automated email stating that there had been a root login, but it doesn't give many details:

"Access from

Root Shell Access on: Thu Jul 6 22:23:47 BST 2006"

I know shortly before that, my colleague logged in, but is there any way I could find out who logged in at the time stated above? I ran "last" and it does not list it at all.

I also viewed bash_history and I couldn't see anything suspicious.

Thanks for your time.

Last edited by RichM; 07-06-2006 at 07:08 PM.
 
Old 07-06-2006, 09:17 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
The lastlog command reports on the /var/log/lastlog file. Is this the sort of information you wanted to check?
Code:
$ lastlog -u root
Username         Port     From             Latest
root             tty6                      Tue Jul  4 08:49:25 +1000 2006
 
Old 07-06-2006, 09:34 PM   #3
RichM
LQ Newbie
 
Registered: Feb 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gilead
The lastlog command reports on the /var/log/lastlog file. Is this the sort of information you wanted to check?
Code:
$ lastlog -u root
Username         Port     From             Latest
root             tty6                      Tue Jul  4 08:49:25 +1000 2006
Thanks for the reply, although that only shows the very last login, is there a way to list them further? (aside from using "last" on its own)

Thanks.
 
Old 07-06-2006, 09:52 PM   #4
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
Those are the best 2 commands to use. However if, for example, logrotate has moved /var/log/wtmp to /var/log/wtmp.1 and your entries don't go far enough back in time, you could use the following:
Code:
$ last -af /var/log/wtmp.1 root
root     tty6         Fri Jun 23 11:14 - down   (00:00)
root     tty6         Wed Jun 21 15:04 - down   (00:00)
root     tty6         Tue Jun 20 11:58 - down   (00:20)
root     tty6         Mon Jun  5 08:19 - down   (00:00)

wtmp.1 begins Thu Jun  1 07:32:56 2006
 
Old 07-06-2006, 10:04 PM   #5
RichM
LQ Newbie
 
Registered: Feb 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gilead
Those are the best 2 commands to use. However if, for example, logrotate has moved /var/log/wtmp to /var/log/wtmp.1 and your entries don't go far enough back in time, you could use the following:
Code:
$ last -af /var/log/wtmp.1 root
root     tty6         Fri Jun 23 11:14 - down   (00:00)
root     tty6         Wed Jun 21 15:04 - down   (00:00)
root     tty6         Tue Jun 20 11:58 - down   (00:20)
root     tty6         Mon Jun  5 08:19 - down   (00:00)

wtmp.1 begins Thu Jun  1 07:32:56 2006
Ok, I did that and nothing suspicious appears as far as I can see.

If the system had been compromised, would they defiantly appear on "last", or are there ways that they could avoid being shown on "last"?

Also, do you have any other suggestions that I should do to further investigate the matter, in order to come to a conclusion?

Thank you so much for your time.
 
Old 07-06-2006, 10:22 PM   #6
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
If they knew what they were doing, they may have modified the log files. If they haven't and you have the GNU process accounting utilities installed, you can look at some of what they were doing with lastcomm.

The following will list the commands logged for the root user (stored in /var/log/pacct). Be prepared for a lot of entries that don't look like commands that you've run - the log also contains commands run as root in cron jobs and by root owned processes. You'll need to match the timestamps with the output from last:
Code:
lastcomm root > ~/lastcomm-root.log
I'd also recommend having a look at the security references on this site at http://www.linuxquestions.org/questi...ad.php?t=45261. There's a tonne of information so don't try and get through it all at once
 
Old 07-06-2006, 10:33 PM   #7
RichM
LQ Newbie
 
Registered: Feb 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gilead
If they knew what they were doing, they may have modified the log files. If they haven't and you have the GNU process accounting utilities installed, you can look at some of what they were doing with lastcomm.

The following will list the commands logged for the root user (stored in /var/log/pacct). Be prepared for a lot of entries that don't look like commands that you've run - the log also contains commands run as root in cron jobs and by root owned processes. You'll need to match the timestamps with the output from last:
Code:
lastcomm root > ~/lastcomm-root.log
I'd also recommend having a look at the security references on this site at http://www.linuxquestions.org/questi...ad.php?t=45261. There's a tonne of information so don't try and get through it all at once
I put in:

lastcomm root > ~/lastcomm-root.log

And it just goes onto the next line, any ideas?

In addition, I also got this email from the server a few hours ago:

Quote:
/etc/cron.daily/rkhunter.sh:

You must specify direct recipients with -s, -c, or -b.
/etc/cron.daily/rkhunter.sh: line 3: sysalerts@myemail.com: command not found
Any ideas as to what caused that to happen? I ran rkhunter (prior to receiving that email) and it says there is nothing malicious.

Last edited by RichM; 07-06-2006 at 10:35 PM.
 
Old 07-07-2006, 01:06 AM   #8
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
If there was no error about the file/command not being found, can you open ~/lastcomm-root.log and see what is listed in it?

For the rkhunter error, it looks like a syntax error with the mail command. Here's what mine has in it:
Code:
#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --quiet
) | /bin/mail -s 'rkhunter Daily Run' root
 
Old 07-07-2006, 01:18 AM   #9
RichM
LQ Newbie
 
Registered: Feb 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gilead
If there was no error about the file/command not being found, can you open ~/lastcomm-root.log and see what is listed in it?

For the rkhunter error, it looks like a syntax error with the mail command. Here's what mine has in it:
Code:
#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --quiet
) | /bin/mail -s 'rkhunter Daily Run' root
I just put in "nano lastcomm-root.log" and it is empty.
 
Old 07-07-2006, 03:53 PM   #10
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
OK, it sounds like process accounting isn't turned on. You can confirm this by checking whether you have a log file called /var/log/pacct. It generates a fair bit of data, but I use it on a couple of boxes at my office without any performance problems (they're not heavily loaded normally anyway).

If you want to enable it (and you have the tools installed), you can add the following to your start-up scripts:
Code:
if [ -x /sbin/accton ]
then
  /sbin/accton /var/log/pacct
  echo "Process accounting turned on."
fi
Then you'd do the following:
Code:
touch /var/log/pacct
chown root:root /var/log/pacct
chmod 0644 /var/log/pacct
I'd also suggest rotating the log regularly by adding the following to /etc/logrotate.d/pacct
Code:
/var/log/pacct {
    weekly
    copytruncate
    nocompress
    notifempty
    missingok
    postrotate
        /sbin/accton
        /sbin/accton /var/log/pacct
    endscript
}
This will log the commands run, but not the arguments given to them - so it doesn't provide a complete history.

Last edited by gilead; 07-07-2006 at 04:21 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
wrong login shell prevent root login cefs99 Linux - Security 4 05-31-2006 09:28 AM
Gnome: Cannot login as default user, sends back to login, works as root Danny-T Linux - Newbie 2 05-27-2006 04:44 AM
strange message when i login as a root Whynot Linux - General 6 03-16-2006 06:45 PM
can only login as root? user login doesnt work..? anyone? hacking_4_b33r Linux - General 1 02-06-2004 12:40 AM
strange problem with root login/su schbond Linux - General 6 10-17-2003 10:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration