LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-24-2006, 02:49 AM   #31
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54

We will see - won't we?
There where root logins from all over the world short time after boot and your setup is still the same as it was...with no change to root access over ssh from outside I suppose. It does not have to be a weak password - there are many ways...and root logins from the outside should'nt even be possible from the beginning...
I'd recommend knowing over believing...Good Luck! - thats what it is...
 
Old 02-24-2006, 04:01 AM   #32
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
I'm pretty sure its not a security problem.
If you want to track the problematic process, you have to give us some information.

What session manager are you using? xdm/gdm/..?

What Xserver are you using? Xfree/Xorg , which version?

What terminal are you using? xterm/..?

Which libc exact version are you using?

What gives last -o?

I think its kind of bug like Capt_Caveman said. I even think I had the same with an old libc6 version.
 
Old 02-24-2006, 11:55 PM   #33
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
I was wrong! Check this!

root pts/0 82.77.43.66 Sat Feb 25 07:46 still logged in
root pts/3 82.77.43.66 Fri Feb 24 19:30 - 19:49 (00:18)
root pts/0 82.77.43.66 Fri Feb 24 19:14 - 21:27 (02:13)
root pts/0 82.77.42.244 Fri Feb 24 18:37 - 19:13 (00:35)
root pts/4 164.71.0.0 Fri Feb 24 16:51 still logged in(hostile IP)
root pts/3 43.52.7.0 Fri Feb 24 16:50 - 16:52 (00:01)(hostile IP)
root pts/4 154.255.2.0 Fri Feb 24 16:48 - 16:51 (00:02)(hostile IP)
root pts/3 86.202.10.0 Fri Feb 24 16:48 - 16:49 (00:01)(hostile IP)
root pts/4 21.111.8.0 Fri Feb 24 16:47 - 16:48 (00:01)(hostile IP)
root pts/3 170.44.10.0 Fri Feb 24 16:47 - 16:47 (00:00)(hostile IP)
root pts/3 50.88.12.0 Fri Feb 24 16:39 - 16:46 (00:07)(hostile IP)
root pts/3 211.236.7.0 Fri Feb 24 16:34 - 16:36 (00:02)(hostile IP)
root pts/0 81.12.248.100 Fri Feb 24 16:22 - 17:30 (01:08)
root pts/0 81.12.248.100 Fri Feb 24 08:43 - 14:00 (05:17)
root pts/1 81.12.248.100 Thu Feb 23 15:23 - 15:25 (00:02)
root pts/4 80.86.108.34 Thu Feb 23 10:21 - 12:54 (02:33)
root pts/1 80.86.108.34 Thu Feb 23 09:38 - 12:12 (02:33)
root pts/3 80.86.108.34 Thu Feb 23 08:17 - 11:26 (03:08)
root pts/2 80.86.108.34 Thu Feb 23 08:03 - 11:12 (03:08)
root pts/0 81.12.248.100 Thu Feb 23 07:58 - 14:37 (06:39)
reboot system boot 147.117.12.0 Thu Feb 23 07:43 (2+00:05)

The weird thing is that, all this logins were recorded while I was logged in.

Last edited by istvank; 02-25-2006 at 12:16 AM.
 
Old 02-24-2006, 11:56 PM   #34
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
last -o
system boot ~~ Thu Jan 1 02:00 (13204+05:52
system boot ~~ Thu Jan 1 02:00 (13204+05:52
system boot ~~ Thu Jan 1 02:00 (00:00)
system boot ~~ Thu Jan 1 02:00 (00:00)
system boot ~~ Thu Jan 1 02:00 (00:00)
system boot ~~ Thu Jan 1 02:00 (00:00)
 
Old 02-25-2006, 12:00 AM   #35
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Why I can't see here any successful login from any hostile IP??

cat /var/log/secure |grep Accepted
Feb 22 14:50:34 localhost sshd[5572]: Accepted password for root from ::ffff:80.86.108.34 port 52324 ssh2
Feb 22 15:32:00 localhost sshd[6677]: Accepted password for root from ::ffff:81.12.248.100 port 1602
Feb 22 15:39:45 localhost sshd[12545]: Accepted password for root from ::ffff:81.12.248.100 port 1624
Feb 22 16:55:27 localhost sshd[3054]: Accepted password for root from ::ffff:81.12.248.100 port 1916
Feb 22 16:58:08 localhost sshd[3597]: Accepted password for root from ::ffff:81.12.248.100 port 1920
Feb 22 17:17:46 localhost sshd[3483]: Accepted password for root from ::ffff:81.12.248.100 port 1937
Feb 22 17:24:20 localhost sshd[12843]: Accepted password for root from ::ffff:80.86.108.34 port 52802 ssh2
Feb 22 18:34:08 localhost sshd[10808]: Accepted password for root from ::ffff:81.12.248.100 port 2329
Feb 22 18:52:57 xxxx sshd[5099]: Accepted password for root from ::ffff:81.12.248.100 port 2404
Feb 22 19:04:09 xxxx sshd[20495]: Accepted password for root from ::ffff:81.12.248.100 port 2452
Feb 23 07:58:05 xxxx sshd[21684]: Accepted password for root from ::ffff:81.12.248.100 port 4360
Feb 23 08:03:24 xxxx sshd[29117]: Accepted password for root from ::ffff:80.86.108.34 port 57120 ssh2
Feb 23 08:17:59 xxxx sshd[15585]: Accepted password for root from ::ffff:80.86.108.34 port 57633 ssh2
Feb 23 09:38:39 xxxx sshd[10549]: Accepted password for root from ::ffff:80.86.108.34 port 58616 ssh2
Feb 23 10:21:27 xxxx sshd[11821]: Accepted password for root from ::ffff:80.86.108.34 port 58712 ssh2
Feb 23 15:23:21 xxxx sshd[16441]: Accepted password for root from ::ffff:81.12.248.100 port 2671
Feb 24 08:43:11 xxxx sshd[28432]: Accepted password for root from ::ffff:81.12.248.100 port 4452
Feb 24 16:22:06 xxxx sshd[2205]: Accepted password for root from ::ffff:81.12.248.100 port 2985
Feb 24 18:37:27 xxxx sshd[6186]: Accepted password for root from ::ffff:82.77.42.244 port 1063
Feb 24 19:14:10 xxxx sshd[7196]: Accepted password for root from ::ffff:82.77.43.66 port 1165

Last edited by istvank; 02-25-2006 at 12:02 AM.
 
Old 02-25-2006, 12:11 AM   #36
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Why I can't see anything here:
Feb 24 16:30:01 xxxx crond(pam_unix)[2428]: session opened for user root by (uid=0)
Feb 24 16:30:01 xxxx crond(pam_unix)[2429]: session opened for user root by (uid=0)
Feb 24 16:30:01 xxxx crond(pam_unix)[2429]: session closed for user root
Feb 24 16:30:01 xxxx crond(pam_unix)[2428]: session closed for user root
Feb 24 16:32:47 xxxx iptables: succeeded
Feb 24 16:35:01 xxxx crond(pam_unix)[2681]: session opened for user root by (uid=0)
Feb 24 16:35:01 xxxx crond(pam_unix)[2680]: session opened for user root by (uid=0)
Feb 24 16:35:02 xxxx crond(pam_unix)[2681]: session closed for user root
Feb 24 16:35:02 xxxx crond(pam_unix)[2680]: session closed for user root
Feb 24 16:40:01 xxxx crond(pam_unix)[2861]: session opened for user root by (uid=0)
Feb 24 16:40:01 xxxx crond(pam_unix)[2862]: session opened for user root by (uid=0)
Feb 24 16:40:01 xxxx crond(pam_unix)[2862]: session closed for user root
Feb 24 16:40:02 xxxx crond(pam_unix)[2861]: session closed for user root
Feb 24 16:45:01 xxxx crond(pam_unix)[2956]: session opened for user root by (uid=0)
Feb 24 16:45:01 xxxx crond(pam_unix)[2957]: session opened for user root by (uid=0)
Feb 24 16:45:01 xxxx crond(pam_unix)[2957]: session closed for user root
Feb 24 16:45:01 xxxx crond(pam_unix)[2956]: session closed for user root
Feb 24 16:47:10 xxxx gconfd (root-3142): starting (version 2.8.1), pid 3142 user 'root'
Feb 24 16:47:10 xxxx gconfd (root-3142): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Feb 24 16:47:10 xxxx gconfd (root-3142): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1
Feb 24 16:47:10 xxxx gconfd (root-3142): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Feb 24 16:47:53 xxxx gconfd (root-3142): Received signal 15, shutting down cleanly
Feb 24 16:47:53 xxxx gconfd (root-3142): Exiting
Feb 24 16:48:07 xxxx gconfd (root-3290): starting (version 2.8.1), pid 3290 user 'root'
Feb 24 16:48:07 xxxx gconfd (root-3290): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Feb 24 16:48:07 xxxx gconfd (root-3290): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1
Feb 24 16:48:07 xxxx gconfd (root-3290): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
 
Old 02-25-2006, 12:25 AM   #37
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,138

Rep: Reputation: 168Reputation: 168
Sorry to just jump in at the end...

But I'm surprised the entries showing the accepted passwords are still there. It would have been smarter for an intruder to modify your logs and install binaries that don't log. You can set up ssh so that root can't login directly and to only use keys instead of passwords. I use the following in my /etc/ssh/sshd_config file (there are plenty of other examples around on the web):
Code:
Protocol 2
PermitRootLogin no
PasswordAuthentication no
Subsystem	sftp	/usr/libexec/sftp-server
All my other settings are at the default value, so I'd recommend you do searches in case you have requirements beyond these.
 
Old 02-25-2006, 12:29 AM   #38
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by nx5000
What session manager are you using? xdm/gdm/..?
I have KDE
Quote:
Originally Posted by nx5000
What Xserver are you using? Xfree/Xorg , which version?
I don't know! How can I know? I have both on my system, but I don't know which one I'm using. I don't really use the graphical interface. I just setup a vncserver and made a few tests with Firefox. The system is running on init 3 level, I guess Xserver or the session manager is not even loaded, maybe when I connect with vnc.
Quote:
Originally Posted by nx5000
What terminal are you using? xterm/..?
I don't know! How can I know? I have xterm on my system...
Quote:
Originally Posted by nx5000
Which libc exact version are you using?
I don't know! How can I find out? I made complete system update with yum right after the installation.
Is this one?
rpm -qa glibc
glibc-2.3.4-2.13
Quote:
Originally Posted by nx5000
What gives last -o?
see above

Last edited by istvank; 02-25-2006 at 12:33 AM.
 
Old 02-25-2006, 01:14 AM   #39
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
HAHA! I killed kde:
dcop --all-users ksmserver ksmserver logout 0 2 0
and look at the last -i
root pts/5 82.77.43.66 Sat Feb 25 08:03 still logged in
root pts/0 82.77.43.66 Sat Feb 25 07:46 still logged in
root pts/3 82.77.43.66 Fri Feb 24 19:30 - 19:49 (00:18)
root pts/0 82.77.43.66 Fri Feb 24 19:14 - 21:27 (02:13)
root pts/0 82.77.42.244 Fri Feb 24 18:37 - 19:13 (00:35)
root pts/4 164.71.0.0 Fri Feb 24 16:51 gone - no logout(hostile IP)
root pts/3 43.52.7.0 Fri Feb 24 16:50 - 16:52 (00:01)(hostile IP)
root pts/4 154.255.2.0 Fri Feb 24 16:48 - 16:51 (00:02)(hostile IP)
root pts/3 86.202.10.0 Fri Feb 24 16:48 - 16:49 (00:01)(hostile IP)
root pts/4 21.111.8.0 Fri Feb 24 16:47 - 16:48 (00:01)(hostile IP)

Comments??

Last edited by istvank; 02-27-2006 at 11:52 PM.
 
Old 02-25-2006, 03:51 AM   #40
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
And now I rebooted and started vnc connection, et voila:
root pts/2 187.55.12.0 Sat Feb 25 11:43 still logged in(hostile IP)
root pts/1 77.176.7.0 Sat Feb 25 11:43 - 11:43 (00:00)(hostile IP)
root pts/0 82.77.43.66 Sat Feb 25 11:40 still logged in
reboot system boot 218.192.12.0 Sat Feb 25 09:57 (01:47)

So as nx5000 said is pretty sure that is not a security problem. Is something related to KDE or VNC.

Last edited by istvank; 02-27-2006 at 11:52 PM.
 
Old 02-27-2006, 06:19 AM   #41
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Lots of IP to read, I'm a bit lost, which one are in romania, which one are in korea ...

Have you found the problematic app?
 
Old 02-27-2006, 08:58 AM   #42
Malec
LQ Newbie
 
Registered: Feb 2006
Posts: 2

Rep: Reputation: 0
root pts/1 209.122.4.0 Fri Feb 10 10:27 - 10:27 (00:00) (unknown IP)
-------------------------------------------

You can get a .0 address for example if you have a network that merges over typical logical sets.

For example - Network 192.168.1.0/23 Host range: 1.1 - 2.254

This could explain the .0 though these are not common since most people typically logically block their networks.
 
Old 02-27-2006, 11:56 PM   #43
istvank
Member
 
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by nx5000
Lots of IP to read, I'm a bit lost, which one are in romania, which one are in korea ...

Have you found the problematic app?
Yes I found the problematic application. When KDE or VNC is launched a bunch of hostile ip-s will show up in the last -i command. One of the hostile IP will show "still logged in" until I shut down KDE completely.

What do you think folks?

This scenario makes me think that my server was ok even before the reinstallation. The root password change before the reinstallation seemed to solve the problem, because the rest of the hostile connections were generated by KDE.

Last edited by istvank; 02-27-2006 at 11:59 PM.
 
Old 02-28-2006, 05:25 PM   #44
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
What do you think folks?
The only way you can really be sure is by installing that version of Cent on a test box with no network connections at all. You don't need to rebuild the server, just throw it on any box you have available. Just make sure that it doesn't have any network connections at all. If IPs start appearing anytime you start KDE or VNC, *then* you can be abolutely sure.

This does sound very similar to the bug that appeared in Redhat/Fedora/Mandrake/SuSE. However it does appear to be slightly different, especially with it occuring with VNC. Here are the bug reports for that older bug (that's been fixed in those distros):

https://bugzilla.redhat.com/bugzilla...g.cgi?id=82540
https://bugzilla.redhat.com/bugzilla...g.cgi?id=98659
http://www.linuxquestions.org/questi...573#post830573
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
No UTMPX entry, You must EXEC "login" for the lowest "shell" ooihc Solaris / OpenSolaris 7 03-12-2007 02:09 PM
I am getting "MODE NOT SUPPORTED" message when i login to suse 9.3 RAHUKUMAR Linux - Hardware 11 01-05-2006 10:22 PM
FC4 install errors, "diabling IRQ #10" "nobody cares" error message??? A6Quattro Fedora 6 07-20-2005 12:49 PM
error message when pressing "Next" "BIOS Problems" , help ! HeRCuLeSX Fedora 3 07-21-2004 02:37 PM
Howto disable "Graphical Login" or "Standard Login?" the_gripmaster Red Hat 1 07-08-2004 02:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration