Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Looking into possible break-ins

  1. #1
    Join Date
    Dec 2013
    Beans
    11

    Lightbulb Looking into possible break-ins

    Hello,
    Need help on looking into possible break in.
    Code:
    $ lastlog 
    Username         Port     From             Latest
    root             pts/0    ***    Sat Feb  2 02:42:37 +0400 2013
    ...
    Searching the auth.log for the IP address and the timestamp did not give any results..
    Any leads on how to proceed?

    Thanks.

  2. #2
    Join Date
    Jun 2011
    Location
    United Kingdom
    Beans
    130
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Looking into possible break-ins

    Try
    Code:
    last -i | grep root
    What services are you running? e.g. SSH
    Please ask Google, check the man pages, and search the forum before creating new threads; that may help you narrow down/solve the issue.
    If your issue is solved please use the Thread Tools menu above your original post to mark it as such.

  3. #3
    Join Date
    Dec 2013
    Beans
    11

    Re: Looking into possible break-ins

    Hi,
    Sorry forgot to mention..
    last -i
    also does not show a root entry at all..
    Looks like the logs on that were cleared or something..

    Services in use are SSH, Apache, and MySQL (accessible only from localhost),
    i.e. a very basic web server setup...

    Thanks.

  4. #4
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Looking into possible break-ins

    If you are running a default Ubuntu Server installation, the root account isn't enabled, so you won't see any entries for root in the logs. It also depends on how your server is connected to the internet, if any of the services are open to the world, you may see attempted root logins in auth.log, but you haven't given us enough information to really answer your question.

  5. #5
    Join Date
    Dec 2013
    Beans
    11

    Re: Looking into possible break-ins

    The machine is connected to the Internet, and is being used as simple web server..
    It's not a default installation. The root login was enabled, and it was enabled for SSH as well (disabled now).
    I do see a lot of login attempts for the root user in the auth.log (which is a "normal" thing I believe with
    so many bots and alike running automated). But the strange thing is that I did not find anything related
    to the login that I see in the lastlog (searching the auth.log for the timestamp and the IP address from
    lastlog did not yield any results).
    What other logs can I possibly look into? And is it possible to check if the log file was manually altered?

    Thanks.

  6. #6
    Join Date
    Jun 2011
    Location
    United Kingdom
    Beans
    130
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Looking into possible break-ins

    If you have an entry for root in lastlog, the root account was enabled, root login was enabled for SSH at that time, and it definitely wasn't you; then I would assume someone gained unauthorized access.
    Please ask Google, check the man pages, and search the forum before creating new threads; that may help you narrow down/solve the issue.
    If your issue is solved please use the Thread Tools menu above your original post to mark it as such.

  7. #7
    Join Date
    Jan 2009
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Looking into possible break-ins

    Do you use password authentication for ssh?

  8. #8
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    744
    Distro
    Ubuntu

    Re: Looking into possible break-ins

    Quote Originally Posted by ubudog View Post
    Do you use password authentication for ssh?
    Good question.

    Look at all your auth logs and sys logs. Make sure you can find logs for the timeframe you're concerned about. If you're missing chunks of time in logs then that's a pretty good indicator of compromise.
    "If somebody thinks they're a hedgehog, presumably you just give 'em a mirror and a few pictures of hedgehogs and tell them to sort it out for themselves."
    Douglas Adams

  9. #9
    Join Date
    Dec 2013
    Beans
    11

    Re: Looking into possible break-ins

    Yes, password authentication is used for ssh. Will have to change that to use keys (good lesson)..
    I'm not sure how check if the logs were tampered.. But I do not see the timestamp for the login in
    question..
    Could someone possibly point out a good tutorial/how-to on practices/procedures for investigation
    of such cases.

    Thanks.

  10. #10
    Join Date
    Feb 2008
    Location
    Pelican Bay Correctional
    Beans
    Hidden!

    Re: Looking into possible break-ins

    Have a look/read over at https://www.linuxquestions.org/quest...erences-45261/ for some excellent references by a very skilled Linux exploit enthusiast.
    I've heard he's a "developer" or coder for one for the more popular exploits "kits" on the Linux platform, and I'll leave it at that.
    Last edited by Habitual; February 15th, 2014 at 02:48 PM.
    I have 3 brain cells left, and two of them have restraining orders.
    Linux is just "DOS on 'steroids"

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •