In this article I am examining the /var/log/auth.log file for any indication of what/what/when my server may have been compromised.
Taking a look through the logs, I am not immediately seeing anything obvious. There are a TON of failed logins, probably from some scripts of botnets or something similar. While I am not expecting to find clear indications of what IP logged in from where to do what, I have little else at my immediate disposal to work with, so for now, this is where I am starting.
First, I'm taking a look for all accepted logins. Here the IPs I have found:
192.168.0.102 - internal IP, expected
192.168.0.100 - internal IP, expected
188.8.131.52 - according to ipaddress.com, this is from Rogers Cable. This would be expected
184.108.40.206 - according to ipaddress.com, this is from Rogers Cable. This would be expected
220.127.116.11 - according to ipaddress.com, this is from Rogers Cable. This would be expected
18.104.22.168 - according to ipaddress.com, this is from Rogers Cable. This would be expected
22.214.171.124 - according to ipaddress.com, this is from GoDaddy. This is NOT expected
126.96.36.199 - according to ipaddress.com, this is from Hetzner Online AG. This is NOT expected
Ok, so there are 2 sets of IPs that are not expected. auth.log indicates that they only successfully logged in once each. Here are the lines right from the log (some details changed):
Aug 11 21:53:54 Server sshd: Accepted password for user from 188.8.131.52 port 50870 ssh2
Aug 12 09:54:36 Server sshd: Accepted password for user from 184.108.40.206 port 37835 ssh2
Let's take a look at how many times these IPs have tried and failed.
220.127.116.11 - 0 failed login attempts
18.104.22.168 - 1 failed login attempt:
Aug 12 09:54:31 Server sshd: Failed password for user from 22.214.171.124 port 37835 ssh2
So I am still a bit unsure what to make of these. Are they legitimate? Are they the indication I am looking for? In my findings below, I have identified yet another login attempt from GoDaddy:
126.96.36.199 - GoDaddy.com, LLC.
Aug 14 01:39:26 MaitreDi sshd: Failed password for root from 188.8.131.52 port 36732 ssh2
Let's take a look at ALL the failed login attempts now, maybe there's something with that... For starters, there is a whole lot more failed attempts than successful. As stated in the intro, I suspect these are from scripts or bots or something similar. Let's look at the IPs and see what we get. For this section, I will be using ipaddress.com to determine where these IPs originate from.
184.108.40.206 - China Telecom Guangxi.
220.127.116.11 - China Telecom Guangxi.
18.104.22.168 - China Telecom Guangxi.
22.214.171.124 - China Telecom Guangxi.
126.96.36.199 - China Telecom Guangxi.
188.8.131.52 - China Telecom Guangxi.
184.108.40.206 - China Telecom Guangxi.
220.127.116.11 - China Telecom Guangxi.
18.104.22.168 - China Telecom Guangxi.
22.214.171.124 - China Telecom Guangxi.
126.96.36.199 - China Telecom Guangxi.
188.8.131.52 - China Telecom Guangxi.
184.108.40.206 - China Telecom Guangxi.
220.127.116.11 - China Telecom Guangxi.
18.104.22.168 - China Telecom Guangxi.
22.214.171.124 - China Telecom.
126.96.36.199 - China Telecom.
188.8.131.52 - China Telecom.
184.108.40.206 - China Telecom.
220.127.116.11 - China Telecom.
18.104.22.168 - China Telecom shandong.
22.214.171.124 - China Telecom shandong.
126.96.36.199 - China Telecom shandong.
188.8.131.52 - China Unicom Shandong.
184.108.40.206 - China Telecom Zhejiang.
220.127.116.11 - China Telecom Zhejiang.
18.104.22.168 - China Telecom Anhui.
22.214.171.124 - China Telecom fujian.
126.96.36.199 - China Telecom.
188.8.131.52 - China Telecom.
184.108.40.206 - China Telecom.
220.127.116.11 - China Telecom.
18.104.22.168 - Beijing hsoft technologies inc.
22.214.171.124 - QianWan Network Co.,Ltd.
126.96.36.199 - China Telecom Guangdong.
188.8.131.52 - China Telecom jiangsu.
184.108.40.206 - China Telecom jiangsu.
220.127.116.11 - Elink-space (Beijing) Technology Co,. Ltd
18.104.22.168 - China Mobile.
22.214.171.124 - China Telecom Yunnan.
126.96.36.199 - China Unicom Beijing.
188.8.131.52 - Henan Telcom Union Technology Co., LTD. (China)
184.108.40.206 - CNISP-Union Technology (Beijing) Co., Ltd.
220.127.116.11 - DigitalOcean. (Singapore)
18.104.22.168 - VpsQuan L.L.C. (Hong Kong)
22.214.171.124 - Telecom Italia.
126.96.36.199 - Minas Mais Telecomunicações Ltda (Brazil)
188.8.131.52 - Universidade Federal de Pernambuco. (Brazil)
184.108.40.206 - Iusacell. (Mexico)
220.127.116.11 - Free SAS. (France)
18.104.22.168 - Free SAS. (France)
22.214.171.124 - Free SAS. (France)
126.96.36.199 - WebNX. (USA)
188.8.131.52 - LG DACOM Corporation. (Republic of Korea)
184.108.40.206 - ISP Fregat Ltd. (Ukraine)
220.127.116.11 - Telefonica Germany.
18.104.22.168 - Advania hf. (Iceland)
22.214.171.124 - Advania hf. (Iceland)
126.96.36.199 - M247 Europe SRL. (Romania)
188.8.131.52 - Rogers Cable. Expected
184.108.40.206 - Rogers Cable. Expected
220.127.116.11 - Rogers Cable. Expected
18.104.22.168 - ISPsystem, cjsc. (Russia)
22.214.171.124 - Petersburg Internet Network ltd (Russia)
126.96.36.199 - Petersburg Internet Network ltd (Russia)
188.8.131.52 - Petersburg Internet Network ltd (Russia)
184.108.40.206 - Net Uno, C.A. (Venezuela)
220.127.116.11 - UNE. (Columbia)
In a way, I was expecting to see a lot of attempts from China; in October of 2014, the FBI Director made the following comparison:"I liken them a bit to a drunk burglar. They're kickin' in the front door, knocking over the vase, while they're walking out with your television set. They're just prolific. Their strategy seems to be: 'We'll just be everywhere all the time. And there's no way they can stop us,'" Comey said.
Based off these findings, I would agree with this comparison. But that doesn't explain the successful (and failed) logins from GoDaddy. This will need some deeper investigation.
For now, I believe this is all the relevant information I will be able to gather from these log files. I will certainly be keeping the originals should I need to come back to them in the future.
What about the user names? What user names are attempted?
Some of these usernames make sense to me. Some of them I recognize to be default usernames.. .Some for some OS distributions, some for other products. But there are a bunch that make absolutely NO sense to me, "zxin10" for example... While not an impossible username, it is totally random, and does not appear to be any kind of default username, at least not for anything I am familiar with.