[Unixcert] Logwatch: Found real break-in attempt
Glen Jarvis
glen at glenjarvis.com
Mon Aug 27 17:35:54 UTC 2012
In homework #4, we are asked to see what logging tools are available on our
systems. I went through a test/but-somewhat-production system and installed
logwatch. There is a real break-in attempt -- and, possibly a real breakin
on user puppet:
I found logwatch when reviewing these logs:
http://www.securitywarriorconsulting.com/logtools/
Running the very basic report showed me a valid break-in attempt. In fact,
because the username of puppet was used, it's possible this system is
already compromised. Reviewing this on a daily basis is obviously a good
idea! Thank you for homework #4!!!!
prompt> sudo logwatch --print
################### Logwatch 7.3.6 (05/19/07) ####################
Processing Initiated: Mon Aug 27 17:26:30 2012
Date Range Processed: yesterday
( 2012-Aug-26 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: glenjarvis.net
##################################################################
--------------------- SSHD Begin ------------------------
Received disconnect:
11: Bye Bye : 2656 Time(s)
**Unmatched Entries**
reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.240.25]
failed - POSSIBLE BREAK-IN ATTEMPT! : 35 time(s)
reverse mapping checking getaddrinfo for
ev1s-216-40-253-234.theplanet.com[216.40.253.234] failed - POSSIBLE
BREAK-IN ATTEMPT! : 8 time(s)
---------------------- SSHD End -------------------------
--------------------- XNTPD Begin ------------------------
Total synchronizations 2 (hosts: 2)
---------------------- XNTPD End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/xvda1 7.9G 4.4G 3.5G 56% /
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################
Here's a snippet of the security log!
Aug 27 17:20:55 puppet sshd[16405]: input_userauth_request: invalid user
oracle
Aug 27 17:20:56 puppet sshd[16405]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:20:58 puppet sshd[16406]: Invalid user test from 180.186.74.94
Aug 27 17:20:58 puppet sshd[16407]: input_userauth_request: invalid user
test
Aug 27 17:20:58 puppet sshd[16407]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:00 puppet sshd[16408]: Invalid user test from 180.186.74.94
Aug 27 17:21:00 puppet sshd[16409]: input_userauth_request: invalid user
test
Aug 27 17:21:00 puppet sshd[16409]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:02 puppet sshd[16410]: Invalid user test from 180.186.74.94
Aug 27 17:21:02 puppet sshd[16411]: input_userauth_request: invalid user
test
Aug 27 17:21:02 puppet sshd[16411]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:04 puppet sshd[16412]: Invalid user test from 180.186.74.94
Aug 27 17:21:04 puppet sshd[16413]: input_userauth_request: invalid user
test
Aug 27 17:21:04 puppet sshd[16413]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:06 puppet sshd[16414]: Invalid user test from 180.186.74.94
Aug 27 17:21:06 puppet sshd[16415]: input_userauth_request: invalid user
test
Aug 27 17:21:07 puppet sshd[16415]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:09 puppet sshd[16416]: Invalid user test from 180.186.74.94
Aug 27 17:21:09 puppet sshd[16417]: input_userauth_request: invalid user
test
Aug 27 17:21:10 puppet sshd[16417]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:12 puppet sshd[16419]: Invalid user test from 180.186.74.94
Aug 27 17:21:12 puppet sshd[16420]: input_userauth_request: invalid user
test
Aug 27 17:21:12 puppet sshd[16420]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:14 puppet sshd[16421]: Invalid user test from 180.186.74.94
Aug 27 17:21:14 puppet sshd[16422]: input_userauth_request: invalid user
test
Aug 27 17:21:14 puppet sshd[16422]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:16 puppet sshd[16424]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:18 puppet sshd[16426]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:20 puppet sshd[16427]: Invalid user user from 180.186.74.94
Aug 27 17:21:20 puppet sshd[16428]: input_userauth_request: invalid user
user
Aug 27 17:21:21 puppet sshd[16428]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:23 puppet sshd[16429]: Invalid user user from 180.186.74.94
Aug 27 17:21:23 puppet sshd[16430]: input_userauth_request: invalid user
user
Aug 27 17:21:23 puppet sshd[16430]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:25 puppet sshd[16431]: Invalid user user from 180.186.74.94
Aug 27 17:21:25 puppet sshd[16432]: input_userauth_request: invalid user
user
Aug 27 17:21:25 puppet sshd[16432]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:27 puppet sshd[16434]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:30 puppet sshd[16437]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:32 puppet sshd[16439]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:34 puppet sshd[16441]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:36 puppet sshd[16443]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:38 puppet sshd[16445]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:41 puppet sshd[16447]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:43 puppet sshd[16448]: Invalid user nagios from 180.186.74.94
Aug 27 17:21:43 puppet sshd[16449]: input_userauth_request: invalid user
nagios
Aug 27 17:21:43 puppet sshd[16449]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:45 puppet sshd[16450]: Invalid user nagios from 180.186.74.94
Aug 27 17:21:45 puppet sshd[16451]: input_userauth_request: invalid user
nagios
Aug 27 17:21:45 puppet sshd[16451]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:21:50 puppet sshd[16452]: Invalid user nagios from 180.186.74.94
Aug 27 17:21:50 puppet sshd[16453]: input_userauth_request: invalid user
nagios
Aug 27 17:21:59 puppet sshd[16453]: Received disconnect from 180.186.74.94:
11: Bye Bye
Aug 27 17:25:45 puppet sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ;
USER=root ; COMMAND=/usr/bin/yum install logwatch
Aug 27 17:26:26 puppet sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ;
USER=root ; COMMAND=/usr/sbin/logwatch --print
Aug 27 17:27:46 puppet sudo: ec2-user : TTY=pts/0 ; PWD=/var/log ;
USER=root ; COMMAND=/bin/view secure
Aug 27 17:28:33 puppet sudo: ec2-user : TTY=pts/0 ; PWD=/var/log ;
USER=root ; COMMAND=/bin/view secure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/unixcert/attachments/20120827/15d2c0f9/attachment-0002.html>
More information about the Unixcert
mailing list