Hi there,
If root is disabled by default, how is it possible that someone managed to SSH into my computer using root? I never enable/set password for root, it's always left as the default as per a fresh install and I always use sudo for any admin tasks.
Auth.log
First there are a whole load of failed attempts then...
Code:
Nov 8 11:07:32 Morris-Desktop sshd[3601]: Failed password for root from 94.243.50.53 port 4360 ssh2
Nov 8 11:07:38 Morris-Desktop sshd[3603]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.243.50.53 user=root
Nov 8 11:07:40 Morris-Desktop sshd[3603]: Failed password for root from 94.243.50.53 port 1546 ssh2
Nov 8 11:07:47 Morris-Desktop sshd[3605]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.243.50.53 user=root
Nov 8 11:07:49 Morris-Desktop sshd[3605]: Failed password for root from 94.243.50.53 port 2097 ssh2
Nov 8 11:07:56 Morris-Desktop sshd[3607]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.243.50.53 user=root
Nov 8 11:07:58 Morris-Desktop sshd[3607]: Failed password for root from 94.243.50.53 port 2679 ssh2
Nov 8 11:08:04 Morris-Desktop sshd[3609]: pam_sm_authenticate: Called
Nov 8 11:08:04 Morris-Desktop sshd[3609]: pam_sm_authenticate: username = [root]
Nov 8 11:08:04 Morris-Desktop sshd[3609]: Accepted password for root from 94.243.50.53 port 3243 ssh2
Nov 8 11:08:04 Morris-Desktop sshd[3609]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 8 11:08:06 Morris-Desktop sshd[3609]: Received disconnect from 94.243.50.53: 11: Goodbye
Nov 8 11:08:06 Morris-Desktop sshd[3609]: pam_unix(sshd:session): session closed for user root
Then nothing for a couple of days until...
Code:
Nov 10 15:57:49 Morris-Desktop sshd[6244]: Failed password for invalid user oracle from 78.111.99.76 port 55081 ssh2
Nov 10 15:57:50 Morris-Desktop sshd[6246]: Address 78.111.99.76 maps to host-78-111-99-76.teklan.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 10 15:57:50 Morris-Desktop sshd[6246]: Invalid user test from 78.111.99.76
Nov 10 15:57:50 Morris-Desktop sshd[6246]: pam_unix(sshd:auth): check pass; user unknown
Nov 10 15:57:50 Morris-Desktop sshd[6246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=78.111.99.76
Nov 10 15:57:52 Morris-Desktop sshd[6246]: Failed password for invalid user test from 78.111.99.76 port 55723 ssh2
Nov 10 15:57:52 Morris-Desktop sshd[6126]: pam_unix(sshd:session): session closed for user root
Nov 10 16:01:17 Morris-Desktop sshd[6250]: Address 83.43.17.244 maps to 244.red-83-43-17.dynamicip.rima-tde.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 10 16:01:18 Morris-Desktop sshd[6250]: pam_sm_authenticate: Called
Nov 10 16:01:18 Morris-Desktop sshd[6250]: pam_sm_authenticate: username = [root]
Nov 10 16:01:18 Morris-Desktop sshd[6250]: Accepted password for root from 83.43.17.244 port 3208 ssh2
Nov 10 16:01:18 Morris-Desktop sshd[6250]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 10 16:03:51 Morris-Desktop groupadd[6352]: group added to /etc/group: name=httpd, GID=1000
Nov 10 16:03:51 Morris-Desktop groupadd[6352]: group added to /etc/gshadow: name=httpd
Nov 10 16:03:51 Morris-Desktop groupadd[6352]: new group: name=httpd, GID=1000
Nov 10 16:03:51 Morris-Desktop useradd[6357]: new user: name=httpd, UID=1000, GID=1000, home=/home/httpd, shell=/bin/bash
Nov 10 16:03:52 Morris-Desktop passwd[6364]: eCryptfs PAM passphrase change module retrieved a NULL passphrase; nothing to do
Nov 10 16:04:01 Morris-Desktop passwd[6364]: pam_unix(passwd:chauthtok): password changed for httpd
Nov 10 16:04:01 Morris-Desktop passwd[6364]: gkr-pam: couldn't update the login keyring password: no old password was entered
Nov 10 16:04:01 Morris-Desktop passwd[6364]: Error attempting to parse .ecryptfsrc file; rc = [-13]
Nov 10 16:04:01 Morris-Desktop passwd[6364]: Passphrase file wrapped
Nov 10 16:04:01 Morris-Desktop passwd[6364]: eCryptfs PAM passphrase change module retrieved at least one NULL passphrase; nothing to do
Nov 10 16:04:03 Morris-Desktop chfn[6365]: changed user 'httpd' information
Nov 10 16:04:10 Morris-Desktop sshd[6369]: Address 83.43.17.244 maps to 244.red-83-43-17.dynamicip.rima-tde.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 10 16:04:13 Morris-Desktop sshd[6369]: pam_sm_authenticate: Called
Nov 10 16:04:13 Morris-Desktop sshd[6369]: pam_sm_authenticate: username = [httpd]
Nov 10 16:04:13 Morris-Desktop sshd[6369]: Accepted password for httpd from 83.43.17.244 port 3215 ssh2
Nov 10 16:04:13 Morris-Desktop sshd[6369]: pam_unix(sshd:session): session opened for user httpd by (uid=0)
Nov 10 16:06:01 Morris-Desktop CRON[6488]: pam_unix(cron:session): session opened for user httpd by (uid=0)
So what they did is create a new user (httpd) with admin privileges and created a cron job under that user which runs a script to bounce things using muh to an irc server in Hungary.
If they hadn't of been silly enough to use a UID in the range that appears on the GDM login screen I wouldn't of caught them.
But what's really bugging me is how they dictionary hacked into a supposedly disabled root account?
Bookmarks