do these logs show a breakin?

do these logs show a breakin?

Post by Paul Phillip » Tue, 21 Mar 2000 04:00:00



I have a RH6.1 linux box that I (literally) just finished installing a
firewall on.  The box has little running on it - no telnet, no ftp, no
web.  Only sendmail and DNS and ssh.  The DNS has been updated to the
latest on Red Hat's web site.

Here is an excerpt from /var/messages from this morning:

Mar 20 02:35:57 localhost login: FAILED LOGIN 1 FROM (null) FOR  root,
User not known to the underlying
authentication module
Mar 20 02:36:03 localhost PAM_pwdb[968]: (login) session opened for user
root by LOGIN(uid=0)

here is an excerpt from /var/secure at the same time:

Mar 20 02:36:03 localhost login: ROOT LOGIN ON tty1

Now I was nice and asleep at this moment, and pretty sure I was not
sleepwalking.
tty1 is the console, right?  I logged in as root at the console on May
19 (yesterday evening),
and haven't logged out.

PS aux shows me logged in on tty1 as root, and logged in via ssh on
ttyp1.

Is this the system doing something?  Why does /var/messages report a
failed login, then six seconds later PAM allows it?

If you can help me interpret the meanings of these logs, I would be most
grateful.

Paul Phillips

 
 
 

do these logs show a breakin?

Post by Paul Phillip » Tue, 21 Mar 2000 04:00:00


sorry, folks, I sent this to the wrong newsgroup - my apologies...


> I have a RH6.1 linux box that I (literally) just finished installing a
> firewall on.  The box has little running on it - no telnet, no ftp, no
> web.  Only sendmail and DNS and ssh.  The DNS has been updated to the
> latest on Red Hat's web site.

etc..

 
 
 

1. do these logs show a breakin?

I have a RH6.1 linux box that I (literally) just finished installing a
firewall on.  The box has little running on it - no telnet, no ftp, no
web.  Only sendmail and DNS and ssh.  The DNS has been updated to the
latest on Red Hat's web site.

Here is an excerpt from /var/messages from this morning:

(note - there were no denied packets for thirty minutes prior to this--)

Mar 20 02:35:57 localhost login: FAILED LOGIN 1 FROM (null) FOR  root,
User not known to the underlying
authentication module
Mar 20 02:36:03 localhost PAM_pwdb[968]: (login) session opened for user

root by LOGIN(uid=0)

here is an excerpt from /var/secure at the same time:

Mar 20 02:36:03 localhost login: ROOT LOGIN ON tty1

Now I was nice and asleep at this moment, and pretty sure I was not
sleepwalking.
tty1 is the console, right?  I logged in as root at the console on May
19 (yesterday evening),
and haven't logged out since.

PS aux shows me logged in on tty1 as root, and logged in via ssh on
ttyp1. (from a remote computer).

"Last" shows that login initiating at 2:36.  When I manually logged out
at the console,
"last" reports that login, which began at 2:36, to have been closed at
the time I logged out
from the console.

Is this the system doing something?  Why does /var/messages report a
failed login, then six seconds later PAM allows it?

If you can help me interpret the meanings of these logs, I would be most

grateful.

Paul Phillips

2. gethostbyname_r 5th argument???

3. help on running X on Cirrus 5430

4. Bourne (or csh) prompt that shows path ala DOS

5. problems with make buildworld

6. Setting up Shell prompt to show directory structure like DOS

7. Unix Programming FAQ (v1.31)

8. /usr/xpg4/bin/more show garbage when reading DOS-style files

9. DOS content shown very slowly under linux, why?

10. Performance tests done on sd show better results on non-smp m/c

11. prompt showing path ala dos

12. "who" shows people logged in when they are not