First Cup of Ubuntu
Looking into possible break-ins
Hello,
Need help on looking into possible break in.
Searching the auth.log for the IP address and the timestamp did not give any results..Code:$ lastlog Username Port From Latest root pts/0 *** Sat Feb 2 02:42:37 +0400 2013 ...
Any leads on how to proceed?
Thanks.
Gee! These Aren't Roasted!
Try
What services are you running? e.g. SSHCode:last -i | grep root
Please ask Google, check the man pages, and search the forum before creating new threads; that may help you narrow down/solve the issue.
If your issue is solved please use the Thread Tools menu above your original post to mark it as such.
First Cup of Ubuntu
Hi,
Sorry forgot to mention..
also does not show a root entry at all..last -i
Looks like the logs on that were cleared or something..
Services in use are SSH, Apache, and MySQL (accessible only from localhost),
i.e. a very basic web server setup...
Thanks.
Caffeine Fueled
If you are running a default Ubuntu Server installation, the root account isn't enabled, so you won't see any entries for root in the logs. It also depends on how your server is connected to the internet, if any of the services are open to the world, you may see attempted root logins in auth.log, but you haven't given us enough information to really answer your question.
First Cup of Ubuntu
The machine is connected to the Internet, and is being used as simple web server..
It's not a default installation. The root login was enabled, and it was enabled for SSH as well (disabled now).
I do see a lot of login attempts for the root user in the auth.log (which is a "normal" thing I believe with
so many bots and alike running automated). But the strange thing is that I did not find anything related
to the login that I see in the lastlog (searching the auth.log for the timestamp and the IP address from
lastlog did not yield any results).
What other logs can I possibly look into? And is it possible to check if the log file was manually altered?
Thanks.
Gee! These Aren't Roasted!
If you have an entry for root in lastlog, the root account was enabled, root login was enabled for SSH at that time, and it definitely wasn't you; then I would assume someone gained unauthorized access.
Please ask Google, check the man pages, and search the forum before creating new threads; that may help you narrow down/solve the issue.
If your issue is solved please use the Thread Tools menu above your original post to mark it as such.
Ubuntu Member
Do you use password authentication for ssh?
Grande Half-n-Half Cinnamon Ubuntu
Good question.Originally Posted by ubudog
Look at all your auth logs and sys logs. Make sure you can find logs for the timeframe you're concerned about. If you're missing chunks of time in logs then that's a pretty good indicator of compromise.
Knock knock.
Race condition.
Who's there?
First Cup of Ubuntu
Yes, password authentication is used for ssh. Will have to change that to use keys (good lesson)..
I'm not sure how check if the logs were tampered.. But I do not see the timestamp for the login in
question..
Could someone possibly point out a good tutorial/how-to on practices/procedures for investigation
of such cases.
Thanks.
Geek
Have a look/read over at https://www.linuxquestions.org/quest...erences-45261/ for some excellent references by a very skilled Linux exploit enthusiast.
I've heard he's a "developer" or coder for one for the more popular exploits "kits" on the Linux platform, and I'll leave it at that.
Last edited by Habitual; February 15th, 2014 at 02:48 PM.
Windows assumes the user is an idiot.
Linux demands proof.
Posting Permissions
Adv Reply
Bookmarks