Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
02-24-2006, 03:49 AM
|
#31
|
Senior Member
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687
Rep:
|
We will see - won't we?
There where root logins from all over the world short time after boot and your setup is still the same as it was...with no change to root access over ssh from outside I suppose. It does not have to be a weak password - there are many ways...and root logins from the outside should'nt even be possible from the beginning...
I'd recommend knowing over believing...Good Luck! - thats what it is...
|
|
|
02-24-2006, 05:01 AM
|
#32
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
I'm pretty sure its not a security problem.
If you want to track the problematic process, you have to give us some information.
What session manager are you using? xdm/gdm/..?
What Xserver are you using? Xfree/Xorg , which version?
What terminal are you using? xterm/..?
Which libc exact version are you using?
What gives last -o?
I think its kind of bug like Capt_Caveman said. I even think I had the same with an old libc6 version.
|
|
|
02-25-2006, 12:55 AM
|
#33
|
Member
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34
Original Poster
Rep:
|
I was wrong! Check this!
root pts/0 82.77.43.66 Sat Feb 25 07:46 still logged in
root pts/3 82.77.43.66 Fri Feb 24 19:30 - 19:49 (00:18)
root pts/0 82.77.43.66 Fri Feb 24 19:14 - 21:27 (02:13)
root pts/0 82.77.42.244 Fri Feb 24 18:37 - 19:13 (00:35)
root pts/4 164.71.0.0 Fri Feb 24 16:51 still logged in(hostile IP)
root pts/3 43.52.7.0 Fri Feb 24 16:50 - 16:52 (00:01)(hostile IP)
root pts/4 154.255.2.0 Fri Feb 24 16:48 - 16:51 (00:02)(hostile IP)
root pts/3 86.202.10.0 Fri Feb 24 16:48 - 16:49 (00:01)(hostile IP)
root pts/4 21.111.8.0 Fri Feb 24 16:47 - 16:48 (00:01)(hostile IP)
root pts/3 170.44.10.0 Fri Feb 24 16:47 - 16:47 (00:00)(hostile IP)
root pts/3 50.88.12.0 Fri Feb 24 16:39 - 16:46 (00:07)(hostile IP)
root pts/3 211.236.7.0 Fri Feb 24 16:34 - 16:36 (00:02)(hostile IP)
root pts/0 81.12.248.100 Fri Feb 24 16:22 - 17:30 (01:08)
root pts/0 81.12.248.100 Fri Feb 24 08:43 - 14:00 (05:17)
root pts/1 81.12.248.100 Thu Feb 23 15:23 - 15:25 (00:02)
root pts/4 80.86.108.34 Thu Feb 23 10:21 - 12:54 (02:33)
root pts/1 80.86.108.34 Thu Feb 23 09:38 - 12:12 (02:33)
root pts/3 80.86.108.34 Thu Feb 23 08:17 - 11:26 (03:08)
root pts/2 80.86.108.34 Thu Feb 23 08:03 - 11:12 (03:08)
root pts/0 81.12.248.100 Thu Feb 23 07:58 - 14:37 (06:39)
reboot system boot 147.117.12.0 Thu Feb 23 07:43 (2+00:05)
The weird thing is that, all this logins were recorded while I was logged in.
Last edited by istvank; 02-25-2006 at 01:16 AM.
|
|
|
02-25-2006, 12:56 AM
|
#34
|
Member
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34
Original Poster
Rep:
|
last -o
system boot ~~ Thu Jan 1 02:00 (13204+05:52
system boot ~~ Thu Jan 1 02:00 (13204+05:52
system boot ~~ Thu Jan 1 02:00 (00:00)
system boot ~~ Thu Jan 1 02:00 (00:00)
system boot ~~ Thu Jan 1 02:00 (00:00)
system boot ~~ Thu Jan 1 02:00 (00:00)
|
|
|
02-25-2006, 01:00 AM
|
#35
|
Member
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34
Original Poster
Rep:
|
Why I can't see here any successful login from any hostile IP??
cat /var/log/secure |grep Accepted
Feb 22 14:50:34 localhost sshd[5572]: Accepted password for root from ::ffff:80.86.108.34 port 52324 ssh2
Feb 22 15:32:00 localhost sshd[6677]: Accepted password for root from ::ffff:81.12.248.100 port 1602
Feb 22 15:39:45 localhost sshd[12545]: Accepted password for root from ::ffff:81.12.248.100 port 1624
Feb 22 16:55:27 localhost sshd[3054]: Accepted password for root from ::ffff:81.12.248.100 port 1916
Feb 22 16:58:08 localhost sshd[3597]: Accepted password for root from ::ffff:81.12.248.100 port 1920
Feb 22 17:17:46 localhost sshd[3483]: Accepted password for root from ::ffff:81.12.248.100 port 1937
Feb 22 17:24:20 localhost sshd[12843]: Accepted password for root from ::ffff:80.86.108.34 port 52802 ssh2
Feb 22 18:34:08 localhost sshd[10808]: Accepted password for root from ::ffff:81.12.248.100 port 2329
Feb 22 18:52:57 xxxx sshd[5099]: Accepted password for root from ::ffff:81.12.248.100 port 2404
Feb 22 19:04:09 xxxx sshd[20495]: Accepted password for root from ::ffff:81.12.248.100 port 2452
Feb 23 07:58:05 xxxx sshd[21684]: Accepted password for root from ::ffff:81.12.248.100 port 4360
Feb 23 08:03:24 xxxx sshd[29117]: Accepted password for root from ::ffff:80.86.108.34 port 57120 ssh2
Feb 23 08:17:59 xxxx sshd[15585]: Accepted password for root from ::ffff:80.86.108.34 port 57633 ssh2
Feb 23 09:38:39 xxxx sshd[10549]: Accepted password for root from ::ffff:80.86.108.34 port 58616 ssh2
Feb 23 10:21:27 xxxx sshd[11821]: Accepted password for root from ::ffff:80.86.108.34 port 58712 ssh2
Feb 23 15:23:21 xxxx sshd[16441]: Accepted password for root from ::ffff:81.12.248.100 port 2671
Feb 24 08:43:11 xxxx sshd[28432]: Accepted password for root from ::ffff:81.12.248.100 port 4452
Feb 24 16:22:06 xxxx sshd[2205]: Accepted password for root from ::ffff:81.12.248.100 port 2985
Feb 24 18:37:27 xxxx sshd[6186]: Accepted password for root from ::ffff:82.77.42.244 port 1063
Feb 24 19:14:10 xxxx sshd[7196]: Accepted password for root from ::ffff:82.77.43.66 port 1165
Last edited by istvank; 02-25-2006 at 01:02 AM.
|
|
|
02-25-2006, 01:11 AM
|
#36
|
Member
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34
Original Poster
Rep:
|
Why I can't see anything here:
Feb 24 16:30:01 xxxx crond(pam_unix)[2428]: session opened for user root by (uid=0)
Feb 24 16:30:01 xxxx crond(pam_unix)[2429]: session opened for user root by (uid=0)
Feb 24 16:30:01 xxxx crond(pam_unix)[2429]: session closed for user root
Feb 24 16:30:01 xxxx crond(pam_unix)[2428]: session closed for user root
Feb 24 16:32:47 xxxx iptables: succeeded
Feb 24 16:35:01 xxxx crond(pam_unix)[2681]: session opened for user root by (uid=0)
Feb 24 16:35:01 xxxx crond(pam_unix)[2680]: session opened for user root by (uid=0)
Feb 24 16:35:02 xxxx crond(pam_unix)[2681]: session closed for user root
Feb 24 16:35:02 xxxx crond(pam_unix)[2680]: session closed for user root
Feb 24 16:40:01 xxxx crond(pam_unix)[2861]: session opened for user root by (uid=0)
Feb 24 16:40:01 xxxx crond(pam_unix)[2862]: session opened for user root by (uid=0)
Feb 24 16:40:01 xxxx crond(pam_unix)[2862]: session closed for user root
Feb 24 16:40:02 xxxx crond(pam_unix)[2861]: session closed for user root
Feb 24 16:45:01 xxxx crond(pam_unix)[2956]: session opened for user root by (uid=0)
Feb 24 16:45:01 xxxx crond(pam_unix)[2957]: session opened for user root by (uid=0)
Feb 24 16:45:01 xxxx crond(pam_unix)[2957]: session closed for user root
Feb 24 16:45:01 xxxx crond(pam_unix)[2956]: session closed for user root
Feb 24 16:47:10 xxxx gconfd (root-3142): starting (version 2.8.1), pid 3142 user 'root'
Feb 24 16:47:10 xxxx gconfd (root-3142): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Feb 24 16:47:10 xxxx gconfd (root-3142): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1
Feb 24 16:47:10 xxxx gconfd (root-3142): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Feb 24 16:47:53 xxxx gconfd (root-3142): Received signal 15, shutting down cleanly
Feb 24 16:47:53 xxxx gconfd (root-3142): Exiting
Feb 24 16:48:07 xxxx gconfd (root-3290): starting (version 2.8.1), pid 3290 user 'root'
Feb 24 16:48:07 xxxx gconfd (root-3290): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Feb 24 16:48:07 xxxx gconfd (root-3290): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1
Feb 24 16:48:07 xxxx gconfd (root-3290): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
|
|
|
02-25-2006, 01:25 AM
|
#37
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep: 
|
Sorry to just jump in at the end...
But I'm surprised the entries showing the accepted passwords are still there. It would have been smarter for an intruder to modify your logs and install binaries that don't log. You can set up ssh so that root can't login directly and to only use keys instead of passwords. I use the following in my /etc/ssh/sshd_config file (there are plenty of other examples around on the web):
Code:
Protocol 2
PermitRootLogin no
PasswordAuthentication no
Subsystem sftp /usr/libexec/sftp-server
All my other settings are at the default value, so I'd recommend you do searches in case you have requirements beyond these.
|
|
|
02-25-2006, 01:29 AM
|
#38
|
Member
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34
Original Poster
Rep:
|
Quote:
Originally Posted by nx5000
What session manager are you using? xdm/gdm/..?
|
I have KDE
Quote:
Originally Posted by nx5000
What Xserver are you using? Xfree/Xorg , which version?
|
I don't know! How can I know? I have both on my system, but I don't know which one I'm using. I don't really use the graphical interface. I just setup a vncserver and made a few tests with Firefox. The system is running on init 3 level, I guess Xserver or the session manager is not even loaded, maybe when I connect with vnc.
Quote:
Originally Posted by nx5000
What terminal are you using? xterm/..?
|
I don't know! How can I know? I have xterm on my system...
Quote:
Originally Posted by nx5000
Which libc exact version are you using?
|
I don't know! How can I find out? I made complete system update with yum right after the installation.
Is this one?
rpm -qa glibc
glibc-2.3.4-2.13
Quote:
Originally Posted by nx5000
What gives last -o?
|
see above
Last edited by istvank; 02-25-2006 at 01:33 AM.
|
|
|
02-25-2006, 02:14 AM
|
#39
|
Member
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34
Original Poster
Rep:
|
HAHA! I killed kde:
dcop --all-users ksmserver ksmserver logout 0 2 0
and look at the last -i
root pts/5 82.77.43.66 Sat Feb 25 08:03 still logged in
root pts/0 82.77.43.66 Sat Feb 25 07:46 still logged in
root pts/3 82.77.43.66 Fri Feb 24 19:30 - 19:49 (00:18)
root pts/0 82.77.43.66 Fri Feb 24 19:14 - 21:27 (02:13)
root pts/0 82.77.42.244 Fri Feb 24 18:37 - 19:13 (00:35)
root pts/4 164.71.0.0 Fri Feb 24 16:51 gone - no logout(hostile IP)
root pts/3 43.52.7.0 Fri Feb 24 16:50 - 16:52 (00:01)(hostile IP)
root pts/4 154.255.2.0 Fri Feb 24 16:48 - 16:51 (00:02)(hostile IP)
root pts/3 86.202.10.0 Fri Feb 24 16:48 - 16:49 (00:01)(hostile IP)
root pts/4 21.111.8.0 Fri Feb 24 16:47 - 16:48 (00:01)(hostile IP)
Comments??
Last edited by istvank; 02-28-2006 at 12:52 AM.
|
|
|
02-25-2006, 04:51 AM
|
#40
|
Member
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34
Original Poster
Rep:
|
And now I rebooted and started vnc connection, et voila:
root pts/2 187.55.12.0 Sat Feb 25 11:43 still logged in(hostile IP)
root pts/1 77.176.7.0 Sat Feb 25 11:43 - 11:43 (00:00)(hostile IP)
root pts/0 82.77.43.66 Sat Feb 25 11:40 still logged in
reboot system boot 218.192.12.0 Sat Feb 25 09:57 (01:47)
So as nx5000 said is pretty sure that is not a security problem. Is something related to KDE or VNC.
Last edited by istvank; 02-28-2006 at 12:52 AM.
|
|
|
02-27-2006, 07:19 AM
|
#41
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Lots of IP to read, I'm a bit lost, which one are in romania, which one are in korea  ...
Have you found the problematic app?
|
|
|
02-27-2006, 09:58 AM
|
#42
|
LQ Newbie
Registered: Feb 2006
Posts: 2
Rep:
|
root pts/1 209.122.4.0 Fri Feb 10 10:27 - 10:27 (00:00) (unknown IP)
-------------------------------------------
You can get a .0 address for example if you have a network that merges over typical logical sets.
For example - Network 192.168.1.0/23 Host range: 1.1 - 2.254
This could explain the .0 though these are not common since most people typically logically block their networks.
|
|
|
02-28-2006, 12:56 AM
|
#43
|
Member
Registered: Dec 2005
Distribution: CentOS 5.8
Posts: 34
Original Poster
Rep:
|
Quote:
Originally Posted by nx5000
Lots of IP to read, I'm a bit lost, which one are in romania, which one are in korea  ...
Have you found the problematic app?
|
Yes I found the problematic application. When KDE or VNC is launched a bunch of hostile ip-s will show up in the last -i command. One of the hostile IP will show "still logged in" until I shut down KDE completely.
What do you think folks?
This scenario makes me think that my server was ok even before the reinstallation. The root password change before the reinstallation seemed to solve the problem, because the rest of the hostile connections were generated by KDE.
Last edited by istvank; 02-28-2006 at 12:59 AM.
|
|
|
02-28-2006, 06:25 PM
|
#44
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
What do you think folks?
The only way you can really be sure is by installing that version of Cent on a test box with no network connections at all. You don't need to rebuild the server, just throw it on any box you have available. Just make sure that it doesn't have any network connections at all. If IPs start appearing anytime you start KDE or VNC, *then* you can be abolutely sure.
This does sound very similar to the bug that appeared in Redhat/Fedora/Mandrake/SuSE. However it does appear to be slightly different, especially with it occuring with VNC. Here are the bug reports for that older bug (that's been fixed in those distros):
https://bugzilla.redhat.com/bugzilla...g.cgi?id=82540
https://bugzilla.redhat.com/bugzilla...g.cgi?id=98659
http://www.linuxquestions.org/questi...573#post830573
|
|
|
All times are GMT -5. The time now is 04:00 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|