Security Incidents mailing list archives
RE: SSH Attempts: Link to RedHat?
From: "Montz, James C. (James Tower)" <JCMontz () jamestower com>
Date: Tue, 18 Dec 2001 09:29:04 -0600
Take a look at /var/log/messages /var/log/secure /root/.bash_history Keep an eye out for any gaps in log times, or statements that sylogd has been restart (other than at 4:00am) Check the /etc/passwd file for any other user accounts with UID/GID:0 Good Luck, ________________________ James C. Montz RHCE Hosting Services Engineer James Tower http://www.jamestower.com -----Original Message----- From: Gregg Sperling [mailto:gs-list () glsrms com] Sent: Monday, December 17, 2001 5:50 PM To: incidents () securityfocus com Subject: SSH Attempts: Link to RedHat? Early yesterday, I received a single connection attempt on three of my Linux-based direct connected Internet servers: Dec 16 01:56:08 srvr001 sshd2[42]: connection from "24.5.243.0" (ip address blocked to protect user) Dec 16 01:56:09 srvr001 sshd2[6969]: Local disconnected: Connection closed by remote host. Dec 16 01:56:09 srvr001 sshd2[6969]: connection lost: 'Connection closed by remote host.' Dec 16 01:56:40 srvr002 sshd2[41]: connection from "24.5.243.0" (ip address blocked to protect user) Dec 16 01:56:41 srvr002 sshd2[10007]: Local disconnected: Connection closed by remote host. Dec 16 01:56:41 srvr002 sshd2[10007]: connection lost: 'Connection closed by remote host.' Dec 16 02:02:41 srvr003 sshd2[44]: connection from "24.5.243.0" (ip address blocked to protect user) Dec 16 02:02:42 srvr003 sshd2[13440]: Local disconnected: Connection closed by remote host. Dec 16 02:02:42 srvr003 sshd2[13440]: connection lost: 'Connection closed by remote host.' I ran some diagnostic tests on the IP address listed, and found it to be a RedHat based Linux system with several ports open, including HTTP, Telnet, FTP, X11, and "others." I connected to the website connected to this server, and found somebody's personal webpage. I found their email address, and sent the owner an email. Surprisingly, I have had several pleasant exchanges with the individual who runs the server. He has offered to allow me access into his server with root access. I'd like to find out what breach, if any, caused this connection attempt. Besides checking the standard /var/log/messages log, are there any suggestions as to where I should check for possible breaches in this individual's system? Hints? Suggestions? Ideas? Thanks in advance for your time, Gregg Sperling gsperling -at- glsrms -dot- com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SSH Attempts: Link to RedHat? Gregg Sperling (Dec 17)
- Re: SSH Attempts: Link to RedHat? John Oliver (Dec 18)
- Re: SSH Attempts: Link to RedHat? jon schatz (Dec 18)
- Re: SSH Attempts: Link to RedHat? Dave Dittrich (Dec 18)
- Re: SSH Attempts: Link to RedHat? Holger van Lengerich (paderLinx GmbH) (Dec 19)
- Re: SSH Attempts: Link to RedHat? Dave Dittrich (Dec 18)
- Re: SSH Attempts: Link to RedHat? Rodrigo Barbosa (Dec 19)
- <Possible follow-ups>
- RE: SSH Attempts: Link to RedHat? Montz, James C. (James Tower) (Dec 18)