In this article I am examining the /var/log/auth.log file for any indication of what/what/when my server may have been compromised.
Taking a look through the logs, I am not immediately seeing anything obvious. There are a TON of failed logins, probably from some scripts of botnets or something similar. While I am not expecting to find clear indications of what IP logged in from where to do what, I have little else at my immediate disposal to work with, so for now, this is where I am starting.
First, I'm taking a look for all accepted logins. Here the IPs I have found:
192.168.0.102 - internal IP, expected
192.168.0.100 - internal IP, expected
174.112.203.150 - according to ipaddress.com, this is from Rogers Cable. This would be expected
24.114.110.78 - according to ipaddress.com, this is from Rogers Cable. This would be expected
24.114.110.135 - according to ipaddress.com, this is from Rogers Cable. This would be expected
24.114.109.253 - according to ipaddress.com, this is from Rogers Cable. This would be expected
50.63.156.78 - according to ipaddress.com, this is from GoDaddy. This is NOT expected
78.47.79.193 - according to ipaddress.com, this is from Hetzner Online AG. This is NOT expected
Ok, so there are 2 sets of IPs that are not expected. auth.log indicates that they only successfully logged in once each. Here are the lines right from the log (some details changed):
Aug 11 21:53:54 Server sshd[8485]: Accepted password for user from 50.63.156.78 port 50870 ssh2
Aug 12 09:54:36 Server sshd[11234]: Accepted password for user from 78.47.79.193 port 37835 ssh2
Let's take a look at how many times these IPs have tried and failed.
50.63.156.78 - 0 failed login attempts
78.47.79.193 - 1 failed login attempt:
Aug 12 09:54:31 Server sshd[11234]: Failed password for user from 78.47.79.193 port 37835 ssh2
So I am still a bit unsure what to make of these. Are they legitimate? Are they the indication I am looking for? In my findings below, I have identified yet another login attempt from GoDaddy:
192.169.202.249 - GoDaddy.com, LLC.
Aug 14 01:39:26 MaitreDi sshd[31822]: Failed password for root from 192.169.202.249 port 36732 ssh2
Let's take a look at ALL the failed login attempts now, maybe there's something with that... For starters, there is a whole lot more failed attempts than successful. As stated in the intro, I suspect these are from scripts or bots or something similar. Let's look at the IPs and see what we get. For this section, I will be using ipaddress.com to determine where these IPs originate from.
116.10.191.162 - China Telecom Guangxi.
116.10.191.165 - China Telecom Guangxi.
116.10.191.171 - China Telecom Guangxi.
116.10.191.172 - China Telecom Guangxi.
116.10.191.176 - China Telecom Guangxi.
116.10.191.178 - China Telecom Guangxi.
116.10.191.180 - China Telecom Guangxi.
116.10.191.182 - China Telecom Guangxi.
116.10.191.187 - China Telecom Guangxi.
116.10.191.188 - China Telecom Guangxi.
116.10.191.189 - China Telecom Guangxi.
116.10.191.194 - China Telecom Guangxi.
116.10.191.195 - China Telecom Guangxi.
116.10.191.196 - China Telecom Guangxi.
116.10.191.236 - China Telecom Guangxi.
61.174.49.116 - China Telecom.
61.174.51.116 - China Telecom.
61.174.51.203 - China Telecom.
61.174.51.219 - China Telecom.
61.174.51.226 - China Telecom.
144.0.0.21 - China Telecom shandong.
144.0.0.25 - China Telecom shandong.
144.0.0.50 - China Telecom shandong.
218.59.209.136 - China Unicom Shandong.
60.190.71.52 - China Telecom Zhejiang.
115.238.236.94 - China Telecom Zhejiang.
60.173.26.24 - China Telecom Anhui.
59.56.64.169 - China Telecom fujian.
59.173.18.45 - China Telecom.
61.167.49.133 - China Telecom.
61.167.49.136 - China Telecom.
61.183.1.8 - China Telecom.
1.93.26.149 - Beijing hsoft technologies inc.
219.235.4.253 - QianWan Network Co.,Ltd.
113.107.233.142 - China Telecom Guangdong.
222.186.56.67 - China Telecom jiangsu.
180.97.28.240 - China Telecom jiangsu.
202.85.222.100 - Elink-space (Beijing) Technology Co,. Ltd
211.140.18.58 - China Mobile.
222.219.187.9 - China Telecom Yunnan.
123.127.36.162 - China Unicom Beijing.
103.22.188.164 - Henan Telcom Union Technology Co., LTD. (China)
42.51.16.186 - CNISP-Union Technology (Beijing) Co., Ltd.
128.199.251.153 - DigitalOcean. (Singapore)
103.255.61.226 - VpsQuan L.L.C. (Hong Kong)
79.48.213.12 - Telecom Italia.
187.63.226.82 - Minas Mais Telecomunicações Ltda (Brazil)
150.161.1.66 - Universidade Federal de Pernambuco. (Brazil)
189.203.240.64 - Iusacell. (Mexico)
212.129.42.212 - Free SAS. (France)
212.129.42.215 - Free SAS. (France)
212.129.12.75 - Free SAS. (France)
142.4.38.39 - WebNX. (USA)
112.216.65.78 - LG DACOM Corporation. (Republic of Korea)
212.115.255.26 - ISP Fregat Ltd. (Ukraine)
213.20.227.137 - Telefonica Germany.
82.221.106.233 - Advania hf. (Iceland)
82.221.109.194 - Advania hf. (Iceland)
89.46.101.156 - M247 Europe SRL. (Romania)
24.114.110.135 - Rogers Cable. Expected
24.114.109.253 - Rogers Cable. Expected
174.112.203.150 - Rogers Cable. Expected
62.109.29.246 - ISPsystem, cjsc. (Russia)
146.185.220.171 - Petersburg Internet Network ltd (Russia)
146.185.220.172 - Petersburg Internet Network ltd (Russia)
146.185.220.173 - Petersburg Internet Network ltd (Russia)
200.75.141.74 - Net Uno, C.A. (Venezuela)
190.7.129.141 - UNE. (Columbia)
In a way, I was expecting to see a lot of attempts from China; in October of 2014, the FBI Director made the following comparison:
"I liken them a bit to a drunk burglar. They're kickin' in the front door, knocking over the vase, while they're walking out with your television set. They're just prolific. Their strategy seems to be: 'We'll just be everywhere all the time. And there's no way they can stop us,'" Comey said.Based off these findings, I would agree with this comparison. But that doesn't explain the successful (and failed) logins from GoDaddy. This will need some deeper investigation.
For now, I believe this is all the relevant information I will be able to gather from these log files. I will certainly be keeping the originals should I need to come back to them in the future.
What about the user names? What user names are attempted?
root
admin
unknown
nagios
gitlab
test
support
tomcat
user01
postgres
clearwatersports
clara
user 1
user1
a
aaa
abcd1234
abcs
abuse
accounting
addr-user
addruser
afk
alex
andriod
anna
apache
app
applclone
applprod
applvis
armand
art
artwork
asd
photo
asia
photos
authorized
away
bds
blast
bnc
bot
brb
build
builder
buildserver
card
casares
catchall
cecile
centos
cloud
cms
cnsl
cns2
cns3
cns
cns-user
cnsuser
core
corel
coremail
couchdb
cpns01
CPNS01
cpns
crearip
crew
cristina
cvs
daemoN
dalton
danny
db
dblk
dedicated
default
demo
deploy
dev
develop
developed
oracle
sm0k3y
guest
ubnt
password
user
alex
library
ftpuser
vyatta
pi
www
PlcmSpIp
D-Link
kelly
mike
office
emily
ftp
sarah
info
plesk
adam
sales
zhangyan
dff
ubuntu
git
boot
bash
r00t
guestuser
guestx
java
javaprg
resin
jboss
web
weblogic
webmail
cacti
cactiuser
apache2
httpd
httpdocs
zabbix
squid
ftp1
ftpd
system
Test
wangyi
zhaowei
zxin10
cpe
ooooooooooooooo
Some of these usernames make sense to me. Some of them I recognize to be default usernames.. .Some for some OS distributions, some for other products. But there are a bunch that make absolutely NO sense to me, "zxin10" for example... While not an impossible username, it is totally random, and does not appear to be any kind of default username, at least not for anything I am familiar with.
Comments
presentation focus, which i am going to present in school.
It kind of feels that you're doing any unique trick. Also, The contents are masterwork.
you've done a excellent task in this matter!
What web host are you the usage of? Can I get your affiliate link
on your host? I wish my site loaded up as quickly as yours lol.
of. I say to you, I definitely get annoyed while people consider worries that they just do not
know about. You managed to hit the nail upon the top as
well as defined out the whole thing without having side effect , people could take a signal.
Will probably be back to get more. Thanks