Re: Ive been hacked - they got root!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I can see authentication in the messages file but it doesnt tell me much
else - not even the source IP. Since I access this box quite regularly
its impossible to distinguish my logins from the third party.

I dont think I have been hacked - both my user and root passwords are
very well protected and separate from any passwords at work. I have the
latest stable packages (sshd etc). It also seems very coincidential that
these entries have appeared the day after a reboot.

Does anyone know much about how stale ssh sessions are reported by
LogWatch? I think they are being reported now that the box (more
importantly the sshd) have been reloaded and all ghost sessions have
been cleared down.

Does anyone have any similar experiences with this sort of thing?

Jeff

On Fri, 2004-01-02 at 20:09, MKlinke wrote:
> On Friday 02 January 2004 13:00, Jeff wrote:
> > Quick thought...
> >
> > I just noticed that my user account has also been used a number of
> > times from the same IP but I have been off work for 2 weeks. If
> > someone was hacking then they wouldnt log in via both a user and
> > root account on the same day, from the same IP - seems daft.
> >
> > The box had to be rebooted yesterday (power cut). Could these
> > reports in logwatch be ghost ssh sessions from when ssh sessions
> > hadnt been closed correctly (usually my shitty windows box
> > crashing). i.e. when the box rebooted, the stale sessions were
> > cleared down and only now showing up in the logs?
> >
> > I hope someone can shed a bit of light on this one.
> >
> > Jeff
> >
> > On Fri, 2004-01-02 at 18:34, Jeff wrote:
> > > Peeps
> > >
> > > Just had a look at yesterdays logwatch mail and noticed that
> > > someone has logged in as root via ssh 6 times from the IP address
> > > of the place I work. I don't think it's been done maliciously,
> > > more of a 'look what i did <laugh, laugh>'. I have looked at
> > > /var/log/secure and there's no evidence in there about it so it
> > > looks like theyve covered their tracks.
> > >
> > > Does anyone know how I can find out what they did and how to
> > > prevent stuff like this happening again (yes - Ive already
> > > changed the password). Ive already looked at the bash history
> > > file with no luck
> > >
> > > Thanks
> > >
> > > A slightly worried Jeff
> 
> There should also be entries in /var/log/messages for ssh logins.  As 
> to whether you might see entries for both root and your user account 
> it may depend on how he broke in.  If someone found he had access to 
> your user account he could have logged in and then used the shell 
> access to break in via root.  
> 
> Regards,  Mike Klinke
> 


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux