0
0
0
s2sdefault

Article Index

In this article I am examining the /var/log/auth.log file for any indication of what/what/when my server may have been compromised.

Taking a look through the logs, I am not immediately seeing anything obvious. There are a TON of failed logins, probably from some scripts of botnets or something similar. While I am not expecting to find clear indications of what IP logged in from where to do what, I have little else at my immediate disposal to work with, so for now, this is where I am starting.

First, I'm taking a look for all accepted logins. Here the IPs I have found:

192.168.0.102 - internal IP, expected

192.168.0.100 - internal IP, expected

174.112.203.150 - according to ipaddress.com, this is from Rogers Cable. This would be expected

24.114.110.78 - according to ipaddress.com, this is from Rogers Cable. This would be expected

24.114.110.135 - according to ipaddress.com, this is from Rogers Cable. This would be expected

24.114.109.253 - according to ipaddress.com, this is from Rogers Cable. This would be expected

50.63.156.78 - according to ipaddress.com, this is from GoDaddy. This is NOT expected

78.47.79.193 - according to ipaddress.com, this is from Hetzner Online AG. This is NOT expected

Ok, so there are 2 sets of IPs that are not expected. auth.log indicates that they only successfully logged in once each. Here are the lines right from the log (some details changed):

Aug 11 21:53:54 Server sshd[8485]: Accepted password for user from 50.63.156.78 port 50870 ssh2

Aug 12 09:54:36 Server sshd[11234]: Accepted password for user from 78.47.79.193 port 37835 ssh2

Let's take a look at how many times these IPs have tried and failed.

50.63.156.78 - 0 failed login attempts

78.47.79.193 - 1 failed login attempt:

Aug 12 09:54:31 Server sshd[11234]: Failed password for user from 78.47.79.193 port 37835 ssh2

So I am still a bit unsure what to make of these. Are they legitimate? Are they the indication I am looking for? In my findings below, I have identified yet another login attempt from GoDaddy:

192.169.202.249 - GoDaddy.com, LLC.

Aug 14 01:39:26 MaitreDi sshd[31822]: Failed password for root from 192.169.202.249 port 36732 ssh2

 

Let's take a look at ALL the failed login attempts now, maybe there's something with that... For starters, there is a whole lot more failed attempts than successful. As stated in the intro, I suspect these are from scripts or bots or something similar. Let's look at the IPs and see what we get. For this section, I will be using ipaddress.com to determine where these IPs originate from.

116.10.191.162 - China Telecom Guangxi.

116.10.191.165 - China Telecom Guangxi.

116.10.191.171 - China Telecom Guangxi.

116.10.191.172 - China Telecom Guangxi.

116.10.191.176 - China Telecom Guangxi.

116.10.191.178 - China Telecom Guangxi.

116.10.191.180 - China Telecom Guangxi.

116.10.191.182 - China Telecom Guangxi.

116.10.191.187 - China Telecom Guangxi.

116.10.191.188 - China Telecom Guangxi.

116.10.191.189 - China Telecom Guangxi.

116.10.191.194 - China Telecom Guangxi.

116.10.191.195 - China Telecom Guangxi.

116.10.191.196 - China Telecom Guangxi.

116.10.191.236 - China Telecom Guangxi.

 

61.174.49.116 - China Telecom.

61.174.51.116 - China Telecom.

61.174.51.203 - China Telecom.

61.174.51.219 - China Telecom.

61.174.51.226 - China Telecom.

 

144.0.0.21 - China Telecom shandong.

144.0.0.25 - China Telecom shandong.

144.0.0.50 - China Telecom shandong.

 

218.59.209.136 - China Unicom Shandong.

60.190.71.52 - China Telecom Zhejiang.

115.238.236.94 - China Telecom Zhejiang.

60.173.26.24 - China Telecom Anhui.

59.56.64.169 - China Telecom fujian.

59.173.18.45 - China Telecom.

61.167.49.133 - China Telecom.

61.167.49.136 - China Telecom.

61.183.1.8 - China Telecom.

1.93.26.149 - Beijing hsoft technologies inc.

219.235.4.253 - QianWan Network Co.,Ltd.

113.107.233.142 - China Telecom Guangdong.

222.186.56.67 - China Telecom jiangsu.

180.97.28.240 - China Telecom jiangsu.

202.85.222.100 - Elink-space (Beijing) Technology Co,. Ltd

211.140.18.58 - China Mobile.

222.219.187.9 - China Telecom Yunnan.

123.127.36.162 - China Unicom Beijing.

103.22.188.164 - Henan Telcom Union Technology Co., LTD. (China)

42.51.16.186 - CNISP-Union Technology (Beijing) Co., Ltd.

 

128.199.251.153 - DigitalOcean. (Singapore)

 

103.255.61.226 - VpsQuan L.L.C. (Hong Kong)

 

79.48.213.12 - Telecom Italia.

 

187.63.226.82 - Minas Mais Telecomunicações Ltda (Brazil)

150.161.1.66 - Universidade Federal de Pernambuco. (Brazil)

 

189.203.240.64 - Iusacell. (Mexico)

 

212.129.42.212 - Free SAS. (France)

212.129.42.215 - Free SAS. (France)

212.129.12.75 - Free SAS. (France)

 

142.4.38.39 - WebNX. (USA)

 

112.216.65.78 - LG DACOM Corporation. (Republic of Korea)

 

212.115.255.26 - ISP Fregat Ltd. (Ukraine)

 

213.20.227.137 - Telefonica Germany.

 

82.221.106.233 - Advania hf. (Iceland)

82.221.109.194 - Advania hf. (Iceland)

 

89.46.101.156 - M247 Europe SRL. (Romania)

 

24.114.110.135 - Rogers Cable. Expected

24.114.109.253 - Rogers Cable. Expected

174.112.203.150 - Rogers Cable. Expected

 

62.109.29.246 - ISPsystem, cjsc. (Russia)

146.185.220.171 - Petersburg Internet Network ltd (Russia)

146.185.220.172 - Petersburg Internet Network ltd (Russia)

146.185.220.173 - Petersburg Internet Network ltd (Russia)

 

200.75.141.74 - Net Uno, C.A. (Venezuela)

 

190.7.129.141 - UNE. (Columbia)

 

In a way, I was expecting to see a lot of attempts from China; in October of 2014, the FBI Director made the following comparison:

"I liken them a bit to a drunk burglar. They're kickin' in the front door, knocking over the vase, while they're walking out with your television set. They're just prolific. Their strategy seems to be: 'We'll just be everywhere all the time. And there's no way they can stop us,'" Comey said.

http://www.foxnews.com/us/2014/10/05/fbi-head-says-chinese-hackers-like-drunk-burglar-aiming-to-steal-from-us/

http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11142685/FBI-chief-says-Chinese-hackers-are-like-drunk-burglars.html

Based off these findings, I would agree with this comparison. But that doesn't explain the successful (and failed) logins from GoDaddy. This will need some deeper investigation.

For now, I believe this is all the relevant information I will be able to gather from these log files. I will certainly be keeping the originals should I need to come back to them in the future.

Comments  

# alman bahis siteleri 2021-08-30 10:58
Fine way of telling, and pleasant post to take information concerning my
presentation focus, which i am going to present in school.
Reply | Reply with quote | Quote
# 현지에서 먹힐까 토렌트 2021-09-04 02:50
you are in point of fact a excellent webmaster. The web site loading speed is incredible.
It kind of feels that you're doing any unique trick. Also, The contents are masterwork.

you've done a excellent task in this matter!
Reply | Reply with quote | Quote
# money online 2021-09-09 12:10
Great weblog right here! Additionally your web site a lot up very fast!

What web host are you the usage of? Can I get your affiliate link
on your host? I wish my site loaded up as quickly as yours lol.
Reply | Reply with quote | Quote
# Merrill 2021-09-12 07:34
Unquestionably believe that which you stated. Your favorite reason seemed to be on the net the easiest thing to be aware
of. I say to you, I definitely get annoyed while people consider worries that they just do not
know about. You managed to hit the nail upon the top as
well as defined out the whole thing without having side effect , people could take a signal.
Will probably be back to get more. Thanks
Reply | Reply with quote | Quote

Add comment


Security code
Refresh

0
0
0
s2sdefault