[Unixcert] Logwatch: Found real break-in attempt

Glen Jarvis glen at glenjarvis.com
Mon Aug 27 21:12:10 UTC 2012 

Ah, puppet was the host name in this case, so there's no evidence of an
actual break-in from the data seen below (at least that's how I interpret
it). For fun, has anyone seen where this host that is trying to break in is
coming from?  Take a look... you may find it interesting.

I'm still rebuilding this box as it has needed a rebuild for some time now
anyhow.


Glen

On Mon, Aug 27, 2012 at 10:35 AM, Glen Jarvis <glen at glenjarvis.com> wrote:

> In homework #4, we are asked to see what logging tools are available on
> our systems. I went through a test/but-somewhat-production system and
> installed logwatch. There is a real break-in attempt -- and, possibly a
> real breakin on user puppet:
>
> I found logwatch when reviewing these logs:
>
> http://www.securitywarriorconsulting.com/logtools/
>
> Running the very basic report showed me a valid break-in attempt. In fact,
> because the username of puppet was used, it's possible this system is
> already compromised. Reviewing this on a daily basis is obviously a good
> idea! Thank you for homework #4!!!!
>
> prompt> sudo logwatch --print
>
>  ################### Logwatch 7.3.6 (05/19/07) ####################
>         Processing Initiated: Mon Aug 27 17:26:30 2012
>         Date Range Processed: yesterday
>                               ( 2012-Aug-26 )
>                               Period is day.
>       Detail Level of Output: 0
>               Type of Output: unformatted
>            Logfiles for Host: glenjarvis.net
>   ##################################################################
>
>  --------------------- SSHD Begin ------------------------
>
>  Received disconnect:
>     11: Bye Bye : 2656 Time(s)
>
>  **Unmatched Entries**
>  reverse mapping checking getaddrinfo for ip223.hichina.com[223.4.240.25] failed - POSSIBLE BREAK-IN ATTEMPT! : 35 time(s)
>  reverse mapping checking getaddrinfo for
> ev1s-216-40-253-234.theplanet.com [216.40.253.234] failed - POSSIBLE
> BREAK-IN ATTEMPT! : 8 time(s)
>
>  ---------------------- SSHD End -------------------------
>
>
>  --------------------- XNTPD Begin ------------------------
>
>
>  Total synchronizations 2 (hosts: 2)
>
>  ---------------------- XNTPD End -------------------------
>
>
>  --------------------- Disk Space Begin ------------------------
>
>  Filesystem            Size  Used Avail Use% Mounted on
>  /dev/xvda1            7.9G  4.4G  3.5G  56% /
>
>
>  ---------------------- Disk Space End -------------------------
>
>
>  ###################### Logwatch End #########################
>
>
>
>
> Here's a snippet of the security log!
>
> Aug 27 17:20:55 puppet sshd[16405]: input_userauth_request: invalid user
> oracle
> Aug 27 17:20:56 puppet sshd[16405]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:20:58 puppet sshd[16406]: Invalid user test from 180.186.74.94
> Aug 27 17:20:58 puppet sshd[16407]: input_userauth_request: invalid user
> test
> Aug 27 17:20:58 puppet sshd[16407]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:00 puppet sshd[16408]: Invalid user test from 180.186.74.94
> Aug 27 17:21:00 puppet sshd[16409]: input_userauth_request: invalid user
> test
> Aug 27 17:21:00 puppet sshd[16409]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:02 puppet sshd[16410]: Invalid user test from 180.186.74.94
> Aug 27 17:21:02 puppet sshd[16411]: input_userauth_request: invalid user
> test
> Aug 27 17:21:02 puppet sshd[16411]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:04 puppet sshd[16412]: Invalid user test from 180.186.74.94
> Aug 27 17:21:04 puppet sshd[16413]: input_userauth_request: invalid user
> test
> Aug 27 17:21:04 puppet sshd[16413]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:06 puppet sshd[16414]: Invalid user test from 180.186.74.94
> Aug 27 17:21:06 puppet sshd[16415]: input_userauth_request: invalid user
> test
> Aug 27 17:21:07 puppet sshd[16415]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:09 puppet sshd[16416]: Invalid user test from 180.186.74.94
> Aug 27 17:21:09 puppet sshd[16417]: input_userauth_request: invalid user
> test
> Aug 27 17:21:10 puppet sshd[16417]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:12 puppet sshd[16419]: Invalid user test from 180.186.74.94
> Aug 27 17:21:12 puppet sshd[16420]: input_userauth_request: invalid user
> test
> Aug 27 17:21:12 puppet sshd[16420]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:14 puppet sshd[16421]: Invalid user test from 180.186.74.94
> Aug 27 17:21:14 puppet sshd[16422]: input_userauth_request: invalid user
> test
> Aug 27 17:21:14 puppet sshd[16422]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:16 puppet sshd[16424]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:18 puppet sshd[16426]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:20 puppet sshd[16427]: Invalid user user from 180.186.74.94
> Aug 27 17:21:20 puppet sshd[16428]: input_userauth_request: invalid user
> user
> Aug 27 17:21:21 puppet sshd[16428]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:23 puppet sshd[16429]: Invalid user user from 180.186.74.94
> Aug 27 17:21:23 puppet sshd[16430]: input_userauth_request: invalid user
> user
> Aug 27 17:21:23 puppet sshd[16430]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:25 puppet sshd[16431]: Invalid user user from 180.186.74.94
> Aug 27 17:21:25 puppet sshd[16432]: input_userauth_request: invalid user
> user
> Aug 27 17:21:25 puppet sshd[16432]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:27 puppet sshd[16434]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:30 puppet sshd[16437]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:32 puppet sshd[16439]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:34 puppet sshd[16441]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:36 puppet sshd[16443]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:38 puppet sshd[16445]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:41 puppet sshd[16447]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:43 puppet sshd[16448]: Invalid user nagios from 180.186.74.94
> Aug 27 17:21:43 puppet sshd[16449]: input_userauth_request: invalid user
> nagios
> Aug 27 17:21:43 puppet sshd[16449]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:45 puppet sshd[16450]: Invalid user nagios from 180.186.74.94
> Aug 27 17:21:45 puppet sshd[16451]: input_userauth_request: invalid user
> nagios
> Aug 27 17:21:45 puppet sshd[16451]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:21:50 puppet sshd[16452]: Invalid user nagios from 180.186.74.94
> Aug 27 17:21:50 puppet sshd[16453]: input_userauth_request: invalid user
> nagios
> Aug 27 17:21:59 puppet sshd[16453]: Received disconnect from 180.186.74.94:
> 11: Bye Bye
> Aug 27 17:25:45 puppet sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ;
> USER=root ; COMMAND=/usr/bin/yum install logwatch
> Aug 27 17:26:26 puppet sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ;
> USER=root ; COMMAND=/usr/sbin/logwatch --print
> Aug 27 17:27:46 puppet sudo: ec2-user : TTY=pts/0 ; PWD=/var/log ;
> USER=root ; COMMAND=/bin/view secure
> Aug 27 17:28:33 puppet sudo: ec2-user : TTY=pts/0 ; PWD=/var/log ;
> USER=root ; COMMAND=/bin/view secure
>



-- 

"Pursue, keep up with, circle round and round your life as a dog does his
master's chase. Do what you love. Know your own bone; gnaw at it, bury it,
unearth it, and gnaw it still."

--Henry David Thoreau
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noisebridge.net/pipermail/unixcert/attachments/20120827/4d4f0848/attachment-0003.html>

More information about the Unixcert mailing list