Forensics File Analysis 1: auth.log

Details
0
0
0
s2sdefault

Article Index

Page 1 of 2

In this article I am examining the /var/log/auth.log file for any indication of what/what/when my server may have been compromised.

Taking a look through the logs, I am not immediately seeing anything obvious. There are a TON of failed logins, probably from some scripts of botnets or something similar. While I am not expecting to find clear indications of what IP logged in from where to do what, I have little else at my immediate disposal to work with, so for now, this is where I am starting.

First, I'm taking a look for all accepted logins. Here the IPs I have found:

192.168.0.102 - internal IP, expected

192.168.0.100 - internal IP, expected

174.112.203.150 - according to ipaddress.com, this is from Rogers Cable. This would be expected

24.114.110.78 - according to ipaddress.com, this is from Rogers Cable. This would be expected

24.114.110.135 - according to ipaddress.com, this is from Rogers Cable. This would be expected

24.114.109.253 - according to ipaddress.com, this is from Rogers Cable. This would be expected

50.63.156.78 - according to ipaddress.com, this is from GoDaddy. This is NOT expected

78.47.79.193 - according to ipaddress.com, this is from Hetzner Online AG. This is NOT expected

Ok, so there are 2 sets of IPs that are not expected. auth.log indicates that they only successfully logged in once each. Here are the lines right from the log (some details changed):

Aug 11 21:53:54 Server sshd[8485]: Accepted password for user from 50.63.156.78 port 50870 ssh2

Aug 12 09:54:36 Server sshd[11234]: Accepted password for user from 78.47.79.193 port 37835 ssh2

Let's take a look at how many times these IPs have tried and failed.

50.63.156.78 - 0 failed login attempts

78.47.79.193 - 1 failed login attempt:

Aug 12 09:54:31 Server sshd[11234]: Failed password for user from 78.47.79.193 port 37835 ssh2

So I am still a bit unsure what to make of these. Are they legitimate? Are they the indication I am looking for? In my findings below, I have identified yet another login attempt from GoDaddy:

192.169.202.249 - GoDaddy.com, LLC.

Aug 14 01:39:26 MaitreDi sshd[31822]: Failed password for root from 192.169.202.249 port 36732 ssh2

 

Let's take a look at ALL the failed login attempts now, maybe there's something with that... For starters, there is a whole lot more failed attempts than successful. As stated in the intro, I suspect these are from scripts or bots or something similar. Let's look at the IPs and see what we get. For this section, I will be using ipaddress.com to determine where these IPs originate from.

116.10.191.162 - China Telecom Guangxi.

116.10.191.165 - China Telecom Guangxi.

116.10.191.171 - China Telecom Guangxi.

116.10.191.172 - China Telecom Guangxi.

116.10.191.176 - China Telecom Guangxi.

116.10.191.178 - China Telecom Guangxi.

116.10.191.180 - China Telecom Guangxi.

116.10.191.182 - China Telecom Guangxi.

116.10.191.187 - China Telecom Guangxi.

116.10.191.188 - China Telecom Guangxi.

116.10.191.189 - China Telecom Guangxi.

116.10.191.194 - China Telecom Guangxi.

116.10.191.195 - China Telecom Guangxi.

116.10.191.196 - China Telecom Guangxi.

116.10.191.236 - China Telecom Guangxi.

 

61.174.49.116 - China Telecom.

61.174.51.116 - China Telecom.

61.174.51.203 - China Telecom.

61.174.51.219 - China Telecom.

61.174.51.226 - China Telecom.

 

144.0.0.21 - China Telecom shandong.

144.0.0.25 - China Telecom shandong.

144.0.0.50 - China Telecom shandong.

 

218.59.209.136 - China Unicom Shandong.

60.190.71.52 - China Telecom Zhejiang.

115.238.236.94 - China Telecom Zhejiang.

60.173.26.24 - China Telecom Anhui.

59.56.64.169 - China Telecom fujian.

59.173.18.45 - China Telecom.

61.167.49.133 - China Telecom.

61.167.49.136 - China Telecom.

61.183.1.8 - China Telecom.

1.93.26.149 - Beijing hsoft technologies inc.

219.235.4.253 - QianWan Network Co.,Ltd.

113.107.233.142 - China Telecom Guangdong.

222.186.56.67 - China Telecom jiangsu.

180.97.28.240 - China Telecom jiangsu.

202.85.222.100 - Elink-space (Beijing) Technology Co,. Ltd

211.140.18.58 - China Mobile.

222.219.187.9 - China Telecom Yunnan.

123.127.36.162 - China Unicom Beijing.

103.22.188.164 - Henan Telcom Union Technology Co., LTD. (China)

42.51.16.186 - CNISP-Union Technology (Beijing) Co., Ltd.

 

128.199.251.153 - DigitalOcean. (Singapore)

 

103.255.61.226 - VpsQuan L.L.C. (Hong Kong)

 

79.48.213.12 - Telecom Italia.

 

187.63.226.82 - Minas Mais Telecomunicações Ltda (Brazil)

150.161.1.66 - Universidade Federal de Pernambuco. (Brazil)

 

189.203.240.64 - Iusacell. (Mexico)

 

212.129.42.212 - Free SAS. (France)

212.129.42.215 - Free SAS. (France)

212.129.12.75 - Free SAS. (France)

 

142.4.38.39 - WebNX. (USA)

 

112.216.65.78 - LG DACOM Corporation. (Republic of Korea)

 

212.115.255.26 - ISP Fregat Ltd. (Ukraine)

 

213.20.227.137 - Telefonica Germany.

 

82.221.106.233 - Advania hf. (Iceland)

82.221.109.194 - Advania hf. (Iceland)

 

89.46.101.156 - M247 Europe SRL. (Romania)

 

24.114.110.135 - Rogers Cable. Expected

24.114.109.253 - Rogers Cable. Expected

174.112.203.150 - Rogers Cable. Expected

 

62.109.29.246 - ISPsystem, cjsc. (Russia)

146.185.220.171 - Petersburg Internet Network ltd (Russia)

146.185.220.172 - Petersburg Internet Network ltd (Russia)

146.185.220.173 - Petersburg Internet Network ltd (Russia)

 

200.75.141.74 - Net Uno, C.A. (Venezuela)

 

190.7.129.141 - UNE. (Columbia)

 

In a way, I was expecting to see a lot of attempts from China; in October of 2014, the FBI Director made the following comparison:

"I liken them a bit to a drunk burglar. They're kickin' in the front door, knocking over the vase, while they're walking out with your television set. They're just prolific. Their strategy seems to be: 'We'll just be everywhere all the time. And there's no way they can stop us,'" Comey said.

http://www.foxnews.com/us/2014/10/05/fbi-head-says-chinese-hackers-like-drunk-burglar-aiming-to-steal-from-us/

http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11142685/FBI-chief-says-Chinese-hackers-are-like-drunk-burglars.html

Based off these findings, I would agree with this comparison. But that doesn't explain the successful (and failed) logins from GoDaddy. This will need some deeper investigation.

For now, I believe this is all the relevant information I will be able to gather from these log files. I will certainly be keeping the originals should I need to come back to them in the future.

Comments  

# 현지에서 먹힐까 토렌트 2021-09-04 02:50
you are in point of fact a excellent webmaster. The web site loading speed is incredible.
It kind of feels that you're doing any unique trick. Also, The contents are masterwork.

you've done a excellent task in this matter!
Reply | Reply with quote | Quote

Add comment

Security code
Refresh

0
0
0
s2sdefault
  • You are here:  
  • Home
  • Forensics
  • Forensics File Analysis 1: auth.log