LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-13-2006, 01:31 PM   #1
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Rep: Reputation: 15
What does it mean that "Last login" message


When I log on to my server I seen something like:
Last login: Fri Jan 13 21:07:36 2006 from xx.qq.dd.ee
Well all this is normal. What worries me is that, is not the IP I logged in last time. Even more is not the IP I ever loggen in.
So this means that somebody logged in to my server?
Or it means that somebody tried to log in to my server?
 
Old 01-13-2006, 01:54 PM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

Are you connecting through an ssh proxy?

Dave
 
Old 01-14-2006, 12:15 AM   #3
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
There is no proxy, as far as I know. The server has a public IP and I'm connecting to it with putty.
 
Old 01-14-2006, 03:33 AM   #4
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi again.

Try running 'host <xx.qq.dd.ee's real IP or hostname>'. That might give you more info about the machine which logged in.

You might way to look through /var/log/messages, and /var/log/secure (if it exists) to see what's been happening with your ssh server.
If there's any evidence of a breakin, I'd get the machine off-line as quickly as possible.

Dave
 
Old 01-14-2006, 10:07 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Also take a look at the output of 'last -i'
 
Old 01-15-2006, 01:55 AM   #6
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Here is a part of: cat /var/log/secure.1 |grep "Failed password for root"

Jan 13 11:46:48 hostname sshd[16848]: Failed password for root from ::ffff:62.75.193.30 port 52404 ssh2
Jan 13 11:46:48 hostname sshd[16849]: Failed password for root from ::ffff:62.75.193.30 port 52404 ssh2
Jan 13 11:46:51 hostname sshd[16850]: Failed password for root from ::ffff:62.75.193.30 port 52657 ssh2
Jan 13 11:46:51 hostname sshd[16851]: Failed password for root from ::ffff:62.75.193.30 port 52657 ssh2
Jan 13 11:47:04 hostname sshd[16860]: Failed password for root from ::ffff:62.75.193.30 port 54186 ssh2
Jan 13 11:47:04 hostname sshd[16861]: Failed password for root from ::ffff:62.75.193.30 port 54186 ssh2
Jan 13 11:47:07 hostname sshd[16862]: Failed password for root from ::ffff:62.75.193.30 port 54470 ssh2
Jan 13 11:47:07 hostname sshd[16863]: Failed password for root from ::ffff:62.75.193.30 port 54470 ssh2
Jan 13 11:47:29 hostname sshd[16878]: Failed password for root from ::ffff:62.75.193.30 port 57022 ssh2
Jan 13 11:47:29 hostname sshd[16879]: Failed password for root from ::ffff:62.75.193.30 port 57022 ssh2
Jan 13 11:47:35 hostname sshd[16882]: Failed password for root from ::ffff:62.75.193.30 port 57707 ssh2
Jan 13 11:47:35 hostname sshd[16883]: Failed password for root from ::ffff:62.75.193.30 port 57707 ssh2
Jan 13 12:09:40 hostname sshd[17060]: Failed password for root from ::ffff:217.40.141.73 port 52414 ssh2
Jan 13 12:09:40 hostname sshd[17061]: Failed password for root from ::ffff:217.40.141.73 port 52414 ssh2
Jan 13 12:09:46 hostname sshd[17062]: Failed password for root from ::ffff:217.40.141.73 port 52543 ssh2
Jan 13 12:09:46 hostname sshd[17063]: Failed password for root from ::ffff:217.40.141.73 port 52543 ssh2
Jan 13 12:09:53 hostname sshd[17064]: Failed password for root from ::ffff:217.40.141.73 port 52674 ssh2
Jan 13 12:09:53 hostname sshd[17065]: Failed password for root from ::ffff:217.40.141.73 port 52674 ssh2
Jan 13 12:09:59 hostname sshd[17066]: Failed password for root from ::ffff:217.40.141.73 port 52786 ssh2
Jan 13 12:09:59 hostname sshd[17067]: Failed password for root from ::ffff:217.40.141.73 port 52786 ssh2
Jan 13 20:59:19 hostname sshd[22514]: Failed password for root from ::ffff:82.77.42.244 port 1370
Jan 13 20:59:19 hostname sshd[22515]: Failed password for root from ::ffff:82.77.42.244 port 1370
Jan 13 23:08:51 hostname sshd[4623]: Failed password for root from ::ffff:200.93.129.6 port 25730 ssh2
Jan 13 23:08:51 hostname sshd[4624]: Failed password for root from ::ffff:200.93.129.6 port 25730 ssh2
Jan 13 23:10:10 hostname sshd[4692]: Failed password for root from ::ffff:200.93.129.6 port 28601 ssh2
Jan 13 23:10:10 hostname sshd[4693]: Failed password for root from ::ffff:200.93.129.6 port 28601 ssh2
Jan 13 23:10:34 hostname sshd[4702]: Failed password for root from ::ffff:200.93.129.6 port 29507 ssh2
Jan 13 23:10:34 hostname sshd[4703]: Failed password for root from ::ffff:200.93.129.6 port 29507 ssh2
Jan 13 23:10:44 hostname sshd[4704]: Failed password for root from ::ffff:200.93.129.6 port 29661 ssh2
Jan 13 23:10:44 hostname sshd[4705]: Failed password for root from ::ffff:200.93.129.6 port 29661 ssh2
Jan 14 13:46:02 hostname sshd[12550]: Failed password for root from ::ffff:83.103.169.218 port 1227 ssh2
Jan 14 13:46:02 hostname sshd[12549]: Failed password for root from ::ffff:83.103.169.218 port 1227 ssh2
Jan 14 13:46:11 hostname sshd[12549]: Failed password for root from ::ffff:83.103.169.218 port 1227 ssh2

This means somebody or everybody is trying to guess my root password.

Than I did:
[root@hostname log]# cat /var/log/secure.1 |grep Accepted
Jan 9 09:42:00 hostname sshd[20920]: Accepted password for root from ::ffff:85.204.157.188 port 3098 ssh2
Jan 9 09:42:00 hostname sshd[20921]: Accepted password for root from ::ffff:85.204.157.188 port 3098 ssh2
Jan 9 18:22:14 hostname sshd[26313]: Accepted password for root from ::ffff:85.204.157.188 port 1261 ssh2
Jan 9 18:22:14 hostname sshd[26314]: Accepted password for root from ::ffff:85.204.157.188 port 1261 ssh2
Jan 9 18:37:54 hostname sshd[26514]: Accepted password for root from ::ffff:85.204.157.188 port 1661 ssh2
Jan 9 18:37:54 hostname sshd[26515]: Accepted password for root from ::ffff:85.204.157.188 port 1661 ssh2
Jan 11 18:27:09 hostname sshd[20555]: Accepted password for root from ::ffff:85.204.157.188 port 2341 ssh2
Jan 11 18:27:09 hostname sshd[20556]: Accepted password for root from ::ffff:85.204.157.188 port 2341 ssh2
Jan 12 14:40:59 hostname sshd[770]: Accepted password for root from ::ffff:81.12.248.100 port 3247
Jan 12 14:40:59 hostname sshd[771]: Accepted password for root from ::ffff:81.12.248.100 port 3247
Jan 12 14:45:32 hostname sshd[3467]: Accepted password for root from ::ffff:81.12.248.100 port 3283
Jan 12 17:07:17 hostname sshd[4773]: Accepted password for root from ::ffff:195.7.14.148 port 1944 ssh2
Jan 12 17:07:17 hostname sshd[4774]: Accepted password for root from ::ffff:195.7.14.148 port 1944 ssh2
Jan 13 20:16:50 hostname sshd[21576]: Accepted password for ftp from ::ffff:82.127.9.42 port 33022 ssh2
Jan 13 20:16:50 hostname sshd[21577]: Accepted password for ftp from ::ffff:82.127.9.42 port 33022 ssh2
Jan 13 20:58:00 hostname sshd[22465]: Accepted password for root from ::ffff:82.77.42.244 port 1368
Jan 13 20:58:00 hostname sshd[22466]: Accepted password for root from ::ffff:82.77.42.244 port 1368
Jan 13 20:59:25 hostname sshd[22514]: Accepted password for root from ::ffff:82.77.42.244 port 1370
Jan 13 21:07:36 hostname sshd[3489]: Accepted password for root from ::ffff:82.77.42.244 port 1447
Jan 13 21:07:36 hostname sshd[3490]: Accepted password for root from ::ffff:82.77.42.244 port 1447
Jan 13 21:17:53 hostname sshd[3696]: Accepted password for root from ::ffff:82.77.42.244 port 1571
Jan 13 21:17:53 hostname sshd[3697]: Accepted password for root from ::ffff:82.77.42.244 port 1571

and

[root@hostname log]# cat /var/log/secure |grep Accepted
Jan 15 06:35:44 hostname sshd[24872]: Accepted password for ftp from ::ffff:202.54.26.218 port 42703 ssh2
Jan 15 06:35:44 hostname sshd[24873]: Accepted password for ftp from ::ffff:202.54.26.218 port 42703 ssh2
Jan 15 08:48:09 hostname sshd[26043]: Accepted password for root from ::ffff:82.77.42.244 port 1066
Jan 15 08:48:09 hostname sshd[26044]: Accepted password for root from ::ffff:82.77.42.244 port 1066

Here are a few successfull attempts. A few are mine, the rest I don't recognize. The IP I seen is the one from the ftp access above.
What is stored in /var/log/secure ? The ssh logins?
I have a vsftpd server on this machine, but is setup for virtual users.
So it seems that I've been hacked. Now what?
I changed the root password till it complied with the passwd requirements.
But what about the "ftp" user? I did a usermod -s /bin/false ftp. Is it enough?
What else should I check?
I know there is a something that you can block root user to access remotely the server and to get root access you have to login with a normal user than make a "su". How can I do that?
Any other suggestions??
 
Old 01-15-2006, 02:04 AM   #7
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
But is weird that I don't see that IP among these...

last -i
root pts/0 82.77.42.244 Sun Jan 15 08:48 still logged in
ftp pts/0 202.54.26.218 Sun Jan 15 06:35 - 06:35 (00:00)
root pts/0 82.77.42.244 Fri Jan 13 21:17 - 21:57 (00:39)
root pts/0 82.77.42.244 Fri Jan 13 21:07 - 21:17 (00:09)
reboot system boot 124.149.9.0 Fri Jan 13 21:05 (1+12:53)
root pts/0 82.77.42.244 Fri Jan 13 20:59 - down (00:04)
root pts/0 82.77.42.244 Fri Jan 13 20:58 - 20:58 (00:00)
ftp pts/0 82.127.9.42 Fri Jan 13 20:16 - 20:16 (00:00)
root pts/0 195.7.14.148 Thu Jan 12 17:07 - 17:07 (00:00)
root pts/0 81.12.248.100 Thu Jan 12 14:45 - 14:59 (00:13)
reboot system boot 23.110.9.0 Thu Jan 12 14:43 (1+06:20)
root pts/1 81.12.248.100 Thu Jan 12 14:40 - down (00:00)
root pts/1 85.204.157.188 Wed Jan 11 18:27 - 14:40 (20:13)
root pts/1 85.204.157.188 Mon Jan 9 18:37 - 18:27 (1+23:49)
root pts/1 85.204.157.188 Mon Jan 9 18:22 - 18:37 (00:15)
root pts/1 85.204.157.188 Mon Jan 9 09:42 - 18:22 (08:40)
ftp pts/1 85.133.24.13 Sat Jan 7 14:46 - 09:42 (1+18:55)
ftp pts/1 204.10.140.190 Thu Jan 5 23:05 - 14:46 (1+15:40)
root pts/1 82.77.42.244 Thu Jan 5 12:25 - 23:05 (10:40)
root pts/1 82.77.42.244 Thu Jan 5 10:39 - 12:25 (01:46)
root pts/5 204.70.10.0 Thu Jan 5 10:22 - down (7+04:19)
root pts/4 167.224.4.0 Thu Jan 5 10:22 - 10:22 (00:00)
root pts/1 82.77.42.244 Thu Jan 5 10:21 - 10:39 (00:17)
root pts/1 83.103.169.218 Wed Jan 4 00:56 - 10:21 (1+09:25)
 
Old 01-15-2006, 04:19 AM   #8
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
If there's been root logins from IP addresses you don't recognise, then you should consider your system cracked.

Are you in Romania, by any chance? Because that's where some of these IPs are located. There's one from a BT Internet block in the UK too.

Anyway, there's only one option available if you've had a root breakin - you'll have to reinstall from scratch, patch until you can't patch any more, and only then bring the system back online.

4 things:
1) Use a strong password
2) Don't use that password for anything else
3) Never, ever, allow root logins over shh
4) In your sshd config, disallow everyone, then enable access for only those users you need to have ssh access. root is not one of them. Neither is ftp.

If you want root access over ssh, login as a normal user, the do 'su -' to get a root shell.

Dave

Last edited by ilikejam; 01-15-2006 at 04:24 AM.
 
Old 01-16-2006, 12:55 AM   #9
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Yes I'm from Romania. Any other ssh and ftp access but Romania is hack attempt.
How can I prevent the root user to login ssh?
 
Old 01-16-2006, 01:13 AM   #10
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
These are all I don't recognize:

Jan 9 09:42:00 hostname sshd[20920]: Accepted password for root from ::ffff:85.204.157.188 port 3098 ssh2
Jan 9 09:42:00 hostname sshd[20921]: Accepted password for root from ::ffff:85.204.157.188 port 3098 ssh2
Jan 9 18:22:14 hostname sshd[26313]: Accepted password for root from ::ffff:85.204.157.188 port 1261 ssh2
Jan 9 18:22:14 hostname sshd[26314]: Accepted password for root from ::ffff:85.204.157.188 port 1261 ssh2
Jan 9 18:37:54 hostname sshd[26514]: Accepted password for root from ::ffff:85.204.157.188 port 1661 ssh2
Jan 9 18:37:54 hostname sshd[26515]: Accepted password for root from ::ffff:85.204.157.188 port 1661 ssh2
Jan 11 18:27:09 hostname sshd[20555]: Accepted password for root from ::ffff:85.204.157.188 port 2341 ssh2
Jan 11 18:27:09 hostname sshd[20556]: Accepted password for root from ::ffff:85.204.157.188 port 2341 ssh2
Jan 12 17:07:17 hostname sshd[4773]: Accepted password for root from ::ffff:195.7.14.148 port 1944 ssh2
Jan 12 17:07:17 hostname sshd[4774]: Accepted password for root from ::ffff:195.7.14.148 port 1944 ssh2

root pts/0 195.7.14.148 Thu Jan 12 17:07 - 17:07 (00:00)
root pts/1 85.204.157.188 Wed Jan 11 18:27 - 14:40 (20:13)
root pts/5 204.70.10.0 Thu Jan 5 10:22 - down (7+04:19)
root pts/4 167.224.4.0 Thu Jan 5 10:22 - 10:22 (00:00)
root pts/1 83.103.169.218 Wed Jan 4 00:56 - 10:21 (1+09:25)

Here I see 3 IP-s which are listed in the /var/log/secure1-4. Why?
 
Old 01-16-2006, 01:20 AM   #11
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
I would like to wait a while to see if there are anymore attempts. How can I track those potential attepts?
 
Old 01-16-2006, 03:42 AM   #12
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,288

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
If person or persons unknown have gained root access on your system, you really do need to reformat and reinstall. If a nonprivileged account is compromised it is often possible to clean up the damage and move on (running forensics to make sure that the compromised account did not lead to a local root compromise). However, if an intruder has root access, he, she, or it had the opportunity to overwrite any file on the filesystem and to load modules into the kernel that can change its behavior. In short, you cannot trust any software on that system. The attacker might have even installed a trojaned sshd that does not log future attempts from his or her IP -- you never know. At the very, very least you should boot of read only media (e.g. a Knoppix CD) and run chkrootkit, rkhunter, and any other system analysis tool that might spring to mind (you can use RPM to verify the checksums of your files, but don't trust the system rpm binary or the checksum binary, use ones from rescue media). But really you need to reinstall to be safe. I suggest reading the CERT guidelines on incident recovery. I would also recommend the security resources thread stickied at the top ofthis forum.

In general use strong passwords and don't let root login via ssh. I sometimes get a bit lazy about the latter, since it's convenient to allow direct root logins sometimes (e.g. for rsync over ssh). Also read the security guidelines posted in this forum -- good luck!
 
Old 02-20-2006, 03:01 AM   #13
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Well, I waited a while. I blocked almost all the ssh accesses. Now the last -i command looks like this:

root pts/0 81.12.248.100 Mon Feb 20 10:48 still logged in
root pts/0 82.77.43.67 Sat Feb 11 18:49 - 18:51 (00:01)
root pts/0 82.77.42.244 Fri Feb 10 22:45 - 22:48 (00:03)
root pts/0 81.12.248.100 Fri Feb 10 10:31 - 10:58 (00:27)
root pts/2 161.64.6.0 Fri Feb 10 10:27 still logged in (unknown IP)
root pts/1 209.122.4.0 Fri Feb 10 10:27 - 10:27 (00:00) (unknown IP)
root pts/0 81.12.248.100 Fri Feb 10 10:26 - 10:28 (00:02)
root pts/0 81.12.248.100 Thu Feb 9 19:09 - 19:12 (00:02)
root pts/0 82.77.42.244 Sat Feb 4 14:02 - 14:05 (00:03)
root pts/0 81.12.248.100 Thu Feb 2 14:41 - 15:03 (00:21)
reboot system boot 160.253.11.0 Thu Feb 2 10:11 (18+00:36)
root pts/0 82.77.42.244 Wed Feb 1 17:48 - 17:49 (00:00)


My questions:

I see 2 ip-s unknown to me. Why kind of IP-s are they, ending with .0???
What is the difference between pts/0 pts/1 pts/2?
The reason why I still didn't reinstall this server is because of qmail. I have something like 30 email addresses on it and I still don't know a way to reinstall it without recreating all the mailboxes and accesses. Any suggestions??

10x
 
Old 02-20-2006, 08:36 AM   #14
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
I've never seen .0 listed as an IP address in a log before. The .0 address is the network subnet address. It could be a cloaking measure by your friendly local cracker.
The pts/X numbers are the virtual terminals. The first person to log in gets pts/0. The second person in gets pts/1 and so on.

Suggestions? Get the machine offline. Now. I wouldn't trust that machine to run a screensaver, let alone a mail server.

Dave

Edit: subnet address, not bradcast.

Last edited by ilikejam; 02-23-2006 at 04:25 PM.
 
Old 02-21-2006, 12:14 AM   #15
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Before getting the machine offlline. Please tell me how can I "kick" another login, or close an active "unfriendly" session.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
No UTMPX entry, You must EXEC "login" for the lowest "shell" ooihc Solaris / OpenSolaris 7 03-12-2007 02:09 PM
I am getting "MODE NOT SUPPORTED" message when i login to suse 9.3 RAHUKUMAR Linux - Hardware 11 01-05-2006 10:22 PM
FC4 install errors, "diabling IRQ #10" "nobody cares" error message??? A6Quattro Fedora 6 07-20-2005 12:49 PM
error message when pressing "Next" "BIOS Problems" , help ! HeRCuLeSX Fedora 3 07-21-2004 02:37 PM
Howto disable "Graphical Login" or "Standard Login?" the_gripmaster Red Hat 1 07-08-2004 02:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration