In this article I am examining the /var/log/auth.log file for any indication of what/what/when my server may have been compromised.
Taking a look through the logs, I am not immediately seeing anything obvious. There are a TON of failed logins, probably from some scripts of botnets or something similar. While I am not expecting to find clear indications of what IP logged in from where to do what, I have little else at my immediate disposal to work with, so for now, this is where I am starting.
First, I'm taking a look for all accepted logins. Here the IPs I have found:
192.168.0.102 - internal IP, expected
192.168.0.100 - internal IP, expected
184.108.40.206 - according to ipaddress.com, this is from Rogers Cable. This would be expected
220.127.116.11 - according to ipaddress.com, this is from Rogers Cable. This would be expected
18.104.22.168 - according to ipaddress.com, this is from Rogers Cable. This would be expected
22.214.171.124 - according to ipaddress.com, this is from Rogers Cable. This would be expected
126.96.36.199 - according to ipaddress.com, this is from GoDaddy. This is NOT expected
188.8.131.52 - according to ipaddress.com, this is from Hetzner Online AG. This is NOT expected
Ok, so there are 2 sets of IPs that are not expected. auth.log indicates that they only successfully logged in once each. Here are the lines right from the log (some details changed):
Aug 11 21:53:54 Server sshd: Accepted password for user from 184.108.40.206 port 50870 ssh2
Aug 12 09:54:36 Server sshd: Accepted password for user from 220.127.116.11 port 37835 ssh2
Let's take a look at how many times these IPs have tried and failed.
18.104.22.168 - 0 failed login attempts
22.214.171.124 - 1 failed login attempt:
Aug 12 09:54:31 Server sshd: Failed password for user from 126.96.36.199 port 37835 ssh2
So I am still a bit unsure what to make of these. Are they legitimate? Are they the indication I am looking for? In my findings below, I have identified yet another login attempt from GoDaddy:
188.8.131.52 - GoDaddy.com, LLC.
Aug 14 01:39:26 MaitreDi sshd: Failed password for root from 184.108.40.206 port 36732 ssh2
Let's take a look at ALL the failed login attempts now, maybe there's something with that... For starters, there is a whole lot more failed attempts than successful. As stated in the intro, I suspect these are from scripts or bots or something similar. Let's look at the IPs and see what we get. For this section, I will be using ipaddress.com to determine where these IPs originate from.
220.127.116.11 - China Telecom Guangxi.
18.104.22.168 - China Telecom Guangxi.
22.214.171.124 - China Telecom Guangxi.
126.96.36.199 - China Telecom Guangxi.
188.8.131.52 - China Telecom Guangxi.
184.108.40.206 - China Telecom Guangxi.
220.127.116.11 - China Telecom Guangxi.
18.104.22.168 - China Telecom Guangxi.
22.214.171.124 - China Telecom Guangxi.
126.96.36.199 - China Telecom Guangxi.
188.8.131.52 - China Telecom Guangxi.
184.108.40.206 - China Telecom Guangxi.
220.127.116.11 - China Telecom Guangxi.
18.104.22.168 - China Telecom Guangxi.
22.214.171.124 - China Telecom Guangxi.
126.96.36.199 - China Telecom.
188.8.131.52 - China Telecom.
184.108.40.206 - China Telecom.
220.127.116.11 - China Telecom.
18.104.22.168 - China Telecom.
22.214.171.124 - China Telecom shandong.
126.96.36.199 - China Telecom shandong.
188.8.131.52 - China Telecom shandong.
184.108.40.206 - China Unicom Shandong.
220.127.116.11 - China Telecom Zhejiang.
18.104.22.168 - China Telecom Zhejiang.
22.214.171.124 - China Telecom Anhui.
126.96.36.199 - China Telecom fujian.
188.8.131.52 - China Telecom.
184.108.40.206 - China Telecom.
220.127.116.11 - China Telecom.
18.104.22.168 - China Telecom.
22.214.171.124 - Beijing hsoft technologies inc.
126.96.36.199 - QianWan Network Co.,Ltd.
188.8.131.52 - China Telecom Guangdong.
184.108.40.206 - China Telecom jiangsu.
220.127.116.11 - China Telecom jiangsu.
18.104.22.168 - Elink-space (Beijing) Technology Co,. Ltd
22.214.171.124 - China Mobile.
126.96.36.199 - China Telecom Yunnan.
188.8.131.52 - China Unicom Beijing.
184.108.40.206 - Henan Telcom Union Technology Co., LTD. (China)
220.127.116.11 - CNISP-Union Technology (Beijing) Co., Ltd.
18.104.22.168 - DigitalOcean. (Singapore)
22.214.171.124 - VpsQuan L.L.C. (Hong Kong)
126.96.36.199 - Telecom Italia.
188.8.131.52 - Minas Mais Telecomunicações Ltda (Brazil)
184.108.40.206 - Universidade Federal de Pernambuco. (Brazil)
220.127.116.11 - Iusacell. (Mexico)
18.104.22.168 - Free SAS. (France)
22.214.171.124 - Free SAS. (France)
126.96.36.199 - Free SAS. (France)
188.8.131.52 - WebNX. (USA)
184.108.40.206 - LG DACOM Corporation. (Republic of Korea)
220.127.116.11 - ISP Fregat Ltd. (Ukraine)
18.104.22.168 - Telefonica Germany.
22.214.171.124 - Advania hf. (Iceland)
126.96.36.199 - Advania hf. (Iceland)
188.8.131.52 - M247 Europe SRL. (Romania)
184.108.40.206 - Rogers Cable. Expected
220.127.116.11 - Rogers Cable. Expected
18.104.22.168 - Rogers Cable. Expected
22.214.171.124 - ISPsystem, cjsc. (Russia)
126.96.36.199 - Petersburg Internet Network ltd (Russia)
188.8.131.52 - Petersburg Internet Network ltd (Russia)
184.108.40.206 - Petersburg Internet Network ltd (Russia)
220.127.116.11 - Net Uno, C.A. (Venezuela)
18.104.22.168 - UNE. (Columbia)
In a way, I was expecting to see a lot of attempts from China; in October of 2014, the FBI Director made the following comparison:"I liken them a bit to a drunk burglar. They're kickin' in the front door, knocking over the vase, while they're walking out with your television set. They're just prolific. Their strategy seems to be: 'We'll just be everywhere all the time. And there's no way they can stop us,'" Comey said.
Based off these findings, I would agree with this comparison. But that doesn't explain the successful (and failed) logins from GoDaddy. This will need some deeper investigation.
For now, I believe this is all the relevant information I will be able to gather from these log files. I will certainly be keeping the originals should I need to come back to them in the future.