JELO
December 12th, 2006, 01:43 PM
Hello all,
I'm currently running a Ubuntu 6.06 server on a DMZ via IPCOP. I check my logs periodically, every few days. Mainly the auth.log found in /var/logs. Since I don't actually have a webpage up right now. Anywho, I do have an ssh server setup on this box. I've been finding several attempts looking like bots or scripts running trying several different user names. However, I found something suspicious in my log today. I'm still pretty new to this but it seems odd, like someone got in. Usually when I find a script looking deal I add the IP address in the hosts.deny file. I guess there's probably a better way to do this though? Anywho on to business, here's they odd thing I found.
uid=0)
Dec 11 06:25:02 ubuntu su[22453]: + ??? root:nobody
Dec 11 06:25:02 ubuntu su[22453]: (pam_unix) session opened for user nobody by (uid=0)
Dec 11 06:25:02 ubuntu su[22453]: (pam_unix) session closed for user nobody
Dec 11 06:25:02 ubuntu su[22457]: + ??? root:nobody
Dec 11 06:25:02 ubuntu su[22457]: (pam_unix) session opened for user nobody by (uid=0)
Dec 11 06:25:02 ubuntu su[22457]: (pam_unix) session closed for user nobody
Dec 11 06:25:02 ubuntu su[22459]: + ??? root:nobody
Dec 11 06:25:02 ubuntu su[22459]: (pam_unix) session opened for user nobody by (uid=0)
last and lastlog commands show nothing strange. However, it seems that finger and whois commands have been uninstalled. It is a server install but I would think they would be installed. Also, there is this odd cron job running every hour it seems. Here's just a couple of examples
Dec 11 09:17:02 ubuntu CRON[22530]: (pam_unix) session closed for user root
Dec 11 10:17:01 ubuntu CRON[22532]: (pam_unix) session opened for user root by (uid=0)
Dec 11 10:17:01 ubuntu CRON[22532]: (pam_unix) session closed for user root
Dec 11 11:17:01 ubuntu CRON[22534]: (pam_unix) session opened for user root by (uid=0)
Thanks
I'm currently running a Ubuntu 6.06 server on a DMZ via IPCOP. I check my logs periodically, every few days. Mainly the auth.log found in /var/logs. Since I don't actually have a webpage up right now. Anywho, I do have an ssh server setup on this box. I've been finding several attempts looking like bots or scripts running trying several different user names. However, I found something suspicious in my log today. I'm still pretty new to this but it seems odd, like someone got in. Usually when I find a script looking deal I add the IP address in the hosts.deny file. I guess there's probably a better way to do this though? Anywho on to business, here's they odd thing I found.
uid=0)
Dec 11 06:25:02 ubuntu su[22453]: + ??? root:nobody
Dec 11 06:25:02 ubuntu su[22453]: (pam_unix) session opened for user nobody by (uid=0)
Dec 11 06:25:02 ubuntu su[22453]: (pam_unix) session closed for user nobody
Dec 11 06:25:02 ubuntu su[22457]: + ??? root:nobody
Dec 11 06:25:02 ubuntu su[22457]: (pam_unix) session opened for user nobody by (uid=0)
Dec 11 06:25:02 ubuntu su[22457]: (pam_unix) session closed for user nobody
Dec 11 06:25:02 ubuntu su[22459]: + ??? root:nobody
Dec 11 06:25:02 ubuntu su[22459]: (pam_unix) session opened for user nobody by (uid=0)
last and lastlog commands show nothing strange. However, it seems that finger and whois commands have been uninstalled. It is a server install but I would think they would be installed. Also, there is this odd cron job running every hour it seems. Here's just a couple of examples
Dec 11 09:17:02 ubuntu CRON[22530]: (pam_unix) session closed for user root
Dec 11 10:17:01 ubuntu CRON[22532]: (pam_unix) session opened for user root by (uid=0)
Dec 11 10:17:01 ubuntu CRON[22532]: (pam_unix) session closed for user root
Dec 11 11:17:01 ubuntu CRON[22534]: (pam_unix) session opened for user root by (uid=0)
Thanks