Help - Search - Members - Calendar
Full Version: Log files <solved>
MandrivaUsers.org > Advanced Topics > Security
riseringseeker
Nov 6 2006, 05:42 PM
I recently have setup a ssh server that I will/am/should be able to access from anywhere in the world (I travel a lot!

I also got a domain name from https://www.dyndns.com/ to be able to follow my dynamic IP. Since I have done so I have seen quite a few attempts to log in from various parts of the world Pakistan, India, China, Korea. Until yesterday I believed the attempts to be unsuccessful. Looking at the logs yesterday and today though makes me wonder if I need to do something else to keep hackers off my computer.

Todays logs are much like yesterdays, with the exception noted at the bottom of the list. Another concern is that is as far back as I can view - logs prior to 11/05 are not there at all! I don't know if that is because the files were dropped normally as part of keeping them a reasonable size, or if it's something more nefarious.

clipped from todays logs (I was not on the system at all during this period of time):

QUOTE
Nov 6 04:13:20 localhost logger: Security Warning: There are modifications for port listening on your machine :
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.org:2208 *:* LISTEN 2031/hpiod
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:swat *:* LISTEN 3365/xinetd
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:nut *:* LISTEN 2941/upsd
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:48071 *:* LISTEN -
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.or:10026 *:* LISTEN 4120/master
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:netbios-ssn *:* LISTEN 3652/smbd
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:34444 *:* LISTEN 3481/rpc.statd
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:sunrpc *:* LISTEN 3198/portmap
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:x11 *:* LISTEN 3759/X
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:849 *:* LISTEN 3641/rpc.mountd
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 192.168.2.2:ssh *:* LISTEN 3530/sshd
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:ipp *:* LISTEN 2514/cupsd
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.org:smtp *:* LISTEN 4120/master
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.or:52378 *:* LISTEN 2454/python
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:7741 *:* LISTEN 5559/lisa
Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:microsoft-ds *:* LISTEN 3652/smbd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:32769 *:* 3401/avahi-daemon:
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:32772 *:* 3481/rpc.statd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:netbios-ns *:* 3716/nmbd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:netbios-ns *:* 3716/nmbd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:netbios-dgm *:* 3716/nmbd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:netbios-dgm *:* 3716/nmbd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:689 *:* 3481/rpc.statd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:7741 *:* 5559/lisa
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:846 *:* 3641/rpc.mountd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:5353 *:* 3401/avahi-daemon:
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:sunrpc *:* 3198/portmap
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:ipp *:* 2514/cupsd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:ntp *:* 3775/ntpd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 localhost.homelinux.org:ntp *:* 3775/ntpd
Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:ntp *:* 3775/ntpd
Nov 6 04:13:20 localhost logger: - Opened ports : raw 0 0 *:icmp *:* 7 5559/lisa
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.org:2208 *:* LISTEN 2046/hpiod
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:swat *:* LISTEN 3441/xinetd
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:nut *:* LISTEN 2981/upsd
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:58089 *:* LISTEN 3542/rpc.statd
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.or:10026 *:* LISTEN 4099/master
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:33386 *:* LISTEN -
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:netbios-ssn *:* LISTEN 3689/smbd
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.or:43918 *:* LISTEN 2490/python
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:sunrpc *:* LISTEN 3268/portmap
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:x11 *:* LISTEN 3743/X
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 192.168.2.2:ssh *:* LISTEN 3605/sshd
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:ipp *:* LISTEN 2570/cupsd
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.org:smtp *:* LISTEN 4099/master
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:954 *:* LISTEN 3756/rpc.mountd
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:7741 *:* LISTEN 5580/lisa
Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:microsoft-ds *:* LISTEN 3689/smbd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:32768 *:* 3528/avahi-daemon:
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:32770 *:* 3542/rpc.statd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:netbios-ns *:* 3841/nmbd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:netbios-ns *:* 3841/nmbd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:netbios-dgm *:* 3841/nmbd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:netbios-dgm *:* 3841/nmbd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:951 *:* 3756/rpc.mountd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:7741 *:* 5580/lisa
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:5353 *:* 3528/avahi-daemon:
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:kerberos-iv *:* 3542/rpc.statd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:sunrpc *:* 3268/portmap
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:ipp *:* 2570/cupsd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:ntp *:* 3779/ntpd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 localhost.homelinux.org:ntp *:* 3779/ntpd
Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:ntp *:* 3779/ntpd
Nov 6 04:13:20 localhost logger: - Closed ports : raw 0 0 *:icmp *:* 7 5580/lisa
Nov 6 04:13:24 localhost logger: Security Warning: World Writable files found :
Nov 6 04:13:24 localhost logger: - /home/karl/Funnies/Greatest_Movie_Line_Ever.wmv
Nov 6 04:13:24 localhost logger: - /home/karl/Funnies/Kosovo music video.wmv
Nov 6 04:13:24 localhost logger: - /tmp/.ICE-unix
Nov 6 04:13:24 localhost logger: - /tmp/.X11-unix
Nov 6 04:13:24 localhost logger: - /tmp/.X11-unix/X0
Nov 6 04:13:24 localhost logger: - /tmp/.font-unix
Nov 6 04:13:24 localhost logger: - /tmp/.font-unix/fs-1
Nov 6 04:13:24 localhost logger: - /var/lib/clamav/clamd.socket
Nov 6 04:13:24 localhost logger: - /var/lib/lock/sane
Nov 6 04:13:24 localhost logger: - /var/lib/texmf
Nov 6 04:13:24 localhost logger: - /var/lib/texmf/ls-R
Nov 6 04:13:24 localhost logger: - /var/run/acpid.socket
Nov 6 04:13:24 localhost logger: - /var/run/avahi-daemon/socket
Nov 6 04:13:24 localhost logger: - /var/run/dbus/system_dbus_socket
Nov 6 04:13:24 localhost logger: - /var/run/xdmctl/dmctl-:0/socket
Nov 6 04:13:24 localhost logger: - /var/run/xdmctl/dmctl/socket
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/dev/log
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/anvil
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/bounce
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-chroot
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-deliver
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-inet
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/defer
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/discard
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/error
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/lmtp
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/lmtp-filter
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/local
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/maildrop
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/proxymap
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/relay
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/rewrite
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/scache
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/smtp
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/smtp-filter
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/tlsmgr
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/trace
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/uucp
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/verify
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/virtual
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/cleanup
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/flush
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/pickup
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/qmgr
Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/showq
Nov 6 04:13:24 localhost logger: - /var/spool/samba
Nov 6 04:13:24 localhost logger: Security Warning: /etc/shadow check :
Nov 6 04:13:24 localhost logger: - /etc/shadow:30: User "guest" has no password !
Nov 6 04:13:24 localhost logger: Security Warning: These files belonging to packages are modified on the system :
Nov 6 04:13:24 localhost logger: - /boot/message-graphic
Nov 6 04:13:24 localhost logger: - /usr/lib/gconv/gconv- modules.cache
Nov 6 04:13:24 localhost logger: - /usr/lib/nvu-1.0/chrome/overlayinfo/editor/content/overlays.rdf
Nov 6 04:13:24 localhost logger: - /usr/share/X11/icewm/menu
Nov 6 04:13:24 localhost logger: - /usr/share/a2ps/afm/fonts.map
Nov 6 04:13:24 localhost logger: - /usr/share/applications/defaults.list
Nov 6 04:13:24 localhost logger: - /usr/share/applications/gaim.desktop
Nov 6 04:13:24 localhost logger: - /usr/share/doc/HTML/index.html
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/100dpi/fonts.dir
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/100dpi/fonts.scale
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/75dpi/fonts.dir
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/75dpi/fonts.scale
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/OTF/fonts.dir
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/OTF/fonts.scale
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Speedo/fonts.dir
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Speedo/fonts.scale
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/TTF/fonts.dir
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/TTF/fonts.scale
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Type1/fonts.dir
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Type1/fonts.scale
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/cyrillic/fonts.dir
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/cyrillic/fonts.scale
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/misc/fonts.dir
Nov 6 04:13:24 localhost logger: - /usr/share/fonts/misc/fonts.scale
Nov 6 04:13:24 localhost logger: - /usr/share/texmf/ls-R
Nov 6 04:13:24 localhost logger: - /var/lib/mandriva/kde-profiles/common/share/config/kdesktoprc
Nov 6 04:13:24 localhost logger: - /var/lib/mandriva/kde-profiles/common/share/config/konquerorrc
Nov 6 04:13:24 localhost logger: Security Warning: These config files belonging to packages are modified on the system :
Nov 6 04:13:24 localhost logger: - /etc/X11/fs/config
Nov 6 04:13:24 localhost logger: - /etc/X11/imwheel/startup.conf
Nov 6 04:13:24 localhost logger: - /etc/cups/cupsd.conf
Nov 6 04:13:24 localhost logger: - /etc/exports
Nov 6 04:13:24 localhost logger: - /etc/firefox.cfg
Nov 6 04:13:24 localhost logger: - /etc/host.conf
Nov 6 04:13:24 localhost logger: - /etc/info-dir
Nov 6 04:13:24 localhost logger: - /etc/inittab
Nov 6 04:13:24 localhost logger: - /etc/kde/kdm/kdmrc
Nov 6 04:13:24 localhost logger: - /etc/kderc
Nov 6 04:13:24 localhost logger: - /etc/login.defs
Nov 6 04:13:24 localhost logger: - /etc/modprobe.conf
Nov 6 04:13:24 localhost logger: - /etc/modprobe.preload
Nov 6 04:13:24 localhost logger: - /etc/mozpluggerrc
Nov 6 04:13:24 localhost logger: - /etc/mtools.conf
Nov 6 04:13:24 localhost logger: - /etc/ntp.conf
Nov 6 04:13:24 localhost logger: - /etc/pam.d/system-auth
Nov 6 04:13:24 localhost logger: - /etc/printcap
Nov 6 04:13:24 localhost logger: - /etc/qtrc
Nov 6 04:13:24 localhost logger: - /etc/rpm/macros
Nov 6 04:13:24 localhost logger: - /etc/samba/smb.conf
Nov 6 04:13:24 localhost logger: - /etc/sane.d/dll.conf
Nov 6 04:13:24 localhost logger: - /etc/shells
Nov 6 04:13:24 localhost logger: - /etc/shorewall/interfaces
Nov 6 04:13:24 localhost logger: - /etc/shorewall/policy
Nov 6 04:13:24 localhost logger: - /etc/shorewall/rules
Nov 6 04:13:24 localhost logger: - /etc/shorewall/start
Nov 6 04:13:24 localhost logger: - /etc/shorewall/stop
Nov 6 04:13:24 localhost logger: - /etc/shorewall/zones
Nov 6 04:13:24 localhost logger: - /etc/ssh/ssh_config
Nov 6 04:13:24 localhost logger: - /etc/ssh/sshd_config
Nov 6 04:13:24 localhost logger: - /etc/sudoers
Nov 6 04:13:24 localhost logger: - /etc/sysconfig/bootsplash
Nov 6 04:13:24 localhost logger: - /etc/sysconfig/firstboot
Nov 6 04:13:24 localhost logger: - /etc/sysconfig/harddrake2/kernel
Nov 6 04:13:24 localhost logger: - /etc/sysconfig/harddrake2/previous_hw
Nov 6 04:13:24 localhost logger: - /etc/sysconfig/msec
Nov 6 04:13:24 localhost logger: - /etc/sysconfig/syslog
Nov 6 04:13:24 localhost logger: - /etc/sysconfig/usb
Nov 6 04:13:24 localhost logger: - /etc/sysctl.conf
Nov 6 04:13:24 localhost logger: - /etc/syslog.conf
Nov 6 04:13:24 localhost logger: - /etc/ups/ups.conf
Nov 6 04:13:24 localhost logger: - /etc/xinetd.d/saned
Nov 6 04:13:24 localhost logger: - /etc/xinetd.d/swat
Nov 6 04:13:24 localhost logger: - /etc/xml/catalog
Nov 6 04:13:24 localhost logger: - /usr/share/sgml/docbook/xmlcatalog
Nov 6 04:13:24 localhost logger: - /var/lib/clamav/daily.cvd
Nov 6 04:13:24 localhost logger: - /var/lib/clamav/main.cvd
Nov 6 04:13:24 localhost logger: Chkrootkit report:
Nov 6 04:13:24 localhost logger: ROOTDIR is `/'
Nov 6 04:13:24 localhost logger: Checking `amd'... not found
Nov 6 04:13:24 localhost logger: Checking `basename'... not infected
Nov 6 04:13:24 localhost logger: Checking `biff'... not found
Nov 6 04:13:24 localhost logger: Checking `chfn'... not infected
Nov 6 04:13:24 localhost logger: Checking `chsh'... not infected
Nov 6 04:13:24 localhost logger: Checking `cron'... not infected
Nov 6 04:13:24 localhost logger: Checking `date'... not infected
Nov 6 04:13:24 localhost logger: Checking `du'... not infected
Nov 6 04:13:24 localhost logger: Checking `dirname'... not infected
Nov 6 04:13:24 localhost logger: Checking `echo'... not infected
Nov 6 04:13:24 localhost logger: Checking `egrep'... not infected
Nov 6 04:13:24 localhost logger: Checking `env'... not infected
Nov 6 04:13:24 localhost logger: Checking `find'... not infected
Nov 6 04:13:24 localhost logger: Checking `fingerd'... not found
Nov 6 04:13:24 localhost logger: Checking `gpm'... not found
Nov 6 04:13:24 localhost logger: Checking `grep'... not infected
Nov 6 04:13:24 localhost logger: Checking `hdparm'... not infected
Nov 6 04:13:24 localhost logger: Checking `su'... not infected
Nov 6 04:13:24 localhost logger: Checking `ifconfig'... not infected
Nov 6 04:13:24 localhost logger: Checking `inetd'... not tested
Nov 6 04:13:24 localhost logger: Checking `inetdconf'... not found
Nov 6 04:13:24 localhost logger: Checking `identd'... not found
Nov 6 04:13:24 localhost logger: Checking `init'... not infected
Nov 6 04:13:24 localhost logger: Checking `killall'... not infected
Nov 6 04:13:24 localhost logger: Checking `ldsopreload'... not infected
Nov 6 04:13:24 localhost logger: Checking `login'... not infected
Nov 6 04:13:24 localhost logger: Checking `ls'... not infected
Nov 6 04:13:24 localhost logger: Checking `lsof'... not infected
Nov 6 04:13:24 localhost logger: Checking `mail'... not infected
Nov 6 04:13:24 localhost logger: Checking `mingetty'... not infected
Nov 6 04:13:24 localhost logger: Checking `netstat'... not infected
Nov 6 04:13:24 localhost logger: Checking `named'... not found
Nov 6 04:13:24 localhost logger: Checking `passwd'... not infected
Nov 6 04:13:24 localhost logger: Checking `pidof'... not infected
Nov 6 04:13:24 localhost logger: Checking `pop2'... not found
Nov 6 04:13:24 localhost logger: Checking `pop3'... not found
Nov 6 04:13:24 localhost logger: Checking `ps'... not infected
Nov 6 04:13:24 localhost logger: Checking `pstree'... not infected
Nov 6 04:13:24 localhost logger: Checking `rpcinfo'... not infected
Nov 6 04:13:24 localhost logger: Checking `rlogind'... not found
Nov 6 04:13:24 localhost logger: Checking `rshd'... not found
Nov 6 04:13:24 localhost logger: Checking `slogin'... not infected
Nov 6 04:13:24 localhost logger: Checking `sendmail'... not infected
Nov 6 04:13:24 localhost logger: Checking `sshd'... not infected
Nov 6 04:13:24 localhost logger: Checking `syslogd'... not infected
Nov 6 04:13:24 localhost logger: Checking `tar'... not infected
Nov 6 04:13:24 localhost logger: Checking `tcpd'... not infected
Nov 6 04:13:24 localhost logger: Checking `tcpdump'... not infected
Nov 6 04:13:24 localhost logger: Checking `top'... not infected
Nov 6 04:13:24 localhost logger: Checking `telnetd'... not found
Nov 6 04:13:24 localhost logger: Checking `timed'... not found
Nov 6 04:13:24 localhost logger: Checking `traceroute'... not infected
Nov 6 04:13:24 localhost logger: Checking `vdir'... not infected
Nov 6 04:13:24 localhost logger: Checking `w'... not infected
Nov 6 04:13:24 localhost logger: Checking `write'... not infected
Nov 6 04:13:24 localhost logger: Checking `aliens'... no suspect files
Nov 6 04:13:24 localhost logger: Searching for sniffer's logs, it may take a while... nothing found
Nov 6 04:13:24 localhost logger: Searching for HiDrootkit's default dir... nothing found
Nov 6 04:13:24 localhost logger: Searching for t0rn's default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for t0rn's v8 defaults... nothing found
Nov 6 04:13:24 localhost logger: Searching for Lion Worm default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for RSHA's default files and dir... nothing found
Nov 6 04:13:24 localhost logger: Searching for RH-Sharpe's default files... nothing found
Nov 6 04:13:24 localhost logger: Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for suspicious files and dirs, it may take a while...
Nov 6 04:13:24 localhost logger: /usr/lib/ooo- 2.0/program/.testtoolrc
Nov 6 04:13:24 localhost logger: Searching for LPD Worm files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for Ramen Worm files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for Maniac files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for RK17 files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for Ducoci rootkit... nothing found
Nov 6 04:13:24 localhost logger: Searching for Adore Worm... nothing found
Nov 6 04:13:24 localhost logger: Searching for ShitC Worm... nothing found
Nov 6 04:13:24 localhost logger: Searching for Omega Worm... nothing found
Nov 6 04:13:24 localhost logger: Searching for Sadmind/IIS Worm... nothing found
Nov 6 04:13:24 localhost logger: Searching for MonKit... nothing found
Nov 6 04:13:24 localhost logger: Searching for Showtee... nothing found
Nov 6 04:13:24 localhost logger: Searching for OpticKit... nothing found
Nov 6 04:13:24 localhost logger: Searching for T.R.K... nothing found
Nov 6 04:13:24 localhost logger: Searching for Mithra... nothing found
Nov 6 04:13:24 localhost logger: Searching for OBSD rk v1... nothing found
Nov 6 04:13:24 localhost logger: Searching for LOC rootkit... nothing found
Nov 6 04:13:24 localhost logger: Searching for Romanian rootkit... nothing found
Nov 6 04:13:24 localhost logger: Searching for HKRK rootkit... nothing found
Nov 6 04:13:24 localhost logger: Searching for Suckit rootkit... nothing found
Nov 6 04:13:24 localhost logger: Searching for Volc rootkit... nothing found
Nov 6 04:13:24 localhost logger: Searching for Gold2 rootkit... nothing found
Nov 6 04:13:24 localhost logger: Searching for TC2 Worm default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for Anonoying rootkit default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for ZK rootkit default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for ShKit rootkit default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for AjaKit rootkit default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for zaRwT rootkit default files and dirs... nothing found
Nov 6 04:13:24 localhost logger: Searching for Madalin rootkit default files... nothing found
Nov 6 04:13:24 localhost logger: Searching for Fu rootkit default files... nothing found
Nov 6 04:13:24 localhost logger: Searching for ESRK rootkit default files... nothing found
Nov 6 04:13:24 localhost logger: Searching for rootedoor... nothing found
Nov 6 04:13:24 localhost logger: Searching for anomalies in shell history files... nothing found
Nov 6 04:13:24 localhost logger: Checking `asp'... not infected
Nov 6 04:13:24 localhost logger: Checking `bindshell'... not infected
Nov 6 04:13:24 localhost logger: Checking `lkm'... Checking `rexedcs'... not found
Nov 6 04:13:24 localhost logger: Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Nov 6 04:13:24 localhost logger: Checking `w55808'... not infected
Nov 6 04:13:24 localhost logger: Checking `wted'... chkwtmp: nothing deleted
Nov 6 04:13:24 localhost logger: Checking `scalper'... not infected
Nov 6 04:13:24 localhost logger: Checking `slapper'... not infected
Nov 6 04:13:24 localhost logger: Checking `z2'... chklastlog: nothing deleted
Nov 6 04:13:24 localhost logger: Checking `chkutmp'... The tty of the following user process(es) were not found
Nov 6 04:13:24 localhost logger: in /var/run/utmp !
Nov 6 04:13:24 localhost logger: ! RUID PID TTY CMD
Nov 6 04:13:24 localhost logger: ! root 3759 tty7 /etc/X11/X -br -deferglyphs 16 :0 vt7 -auth /var/run/xauth/A:0-ZgK1i3
Nov 6 04:13:24 localhost logger: chkutmp: nothing deleted


The odd thing about yesterdays logs were numerous entries like this:

QUOTE
Nov 5 04:14:16 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)
Nov 5 04:14:19 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)
Nov 5 04:14:46 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25)
Nov 5 04:14:49 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25)
Nov 5 04:15:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.114]: Connection timed out (port 25)
Nov 5 04:15:19 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.114]: Connection timed out (port 25)
Nov 5 04:15:46 localhost postfix/smtp[17094]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25)
Nov 5 04:15:49 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25)
Nov 5 04:16:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.27]: Connection timed out (port 25)
Nov 5 04:16:16 localhost postfix/smtp[17094]: 213B969C95: to=<riseringseeker@gmail.com>, relay=none, delay=150,


Any ideas anyone?
ianw1974
Nov 6 2006, 06:22 PM
Your logs should be rotated by a job in /etc/cron.daily called logrotate. This is maybe why you cannot see prior to a certain date. However, you should see examples of the same logfile with .1, .2, .3 at the end and so on. These are normally archives of tar.gz or something.

Those last entries seem to be postfix - your smtp server trying to send emails to your gmail account but failing to connect.

As for sshd, see if it's running with:

CODE
netstat -tan


and look for port 22.
riseringseeker
Nov 6 2006, 06:40 PM
QUOTE (ianw1974 @ Nov 6 2006, 12:22 PM) *
Your logs should be rotated by a job in /etc/cron.daily called logrotate. This is maybe why you cannot see prior to a certain date. However, you should see examples of the same logfile with .1, .2, .3 at the end and so on. These are normally archives of tar.gz or something.


OK, found those, not sure how to set to keep logs viewable in mcc any longer than they are, but at least that is one concern down!

QUOTE
Those last entries seem to be postfix - your smtp server trying to send emails to your gmail account but failing to connect.


Now that I think of it, I do have it set to send e-mail in the event of evil things happening to my system. I guess I need to change e-mail addresses which it sends to, or figure out how to get that one to work.

QUOTE
As for sshd, see if it's running with:

CODE
netstat -tan


and look for port 22.


Yes, it's running, out put at the moment is:

QUOTE
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3493 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:48071 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:34444 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:849 0.0.0.0:* LISTEN
tcp 0 0 192.168.2.2:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:52378 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 0 192.168.2.2:33644 64.233.163.83:80 ESTABLISHED
tcp 1 0 127.0.0.1:53907 127.0.0.1:631 CLOSE_WAIT
tcp 1 0 127.0.0.1:40544 127.0.0.1:631 CLOSE_WAIT
tcp 1 0 127.0.0.1:40549 127.0.0.1:631 CLOSE_WAIT
tcp 1 0 127.0.0.1:59550 127.0.0.1:631 CLOSE_WAIT
tcp 1 0 127.0.0.1:59545 127.0.0.1:631 CLOSE_WAIT
tcp 0 0 :::6000 :::* LISTEN
tcp 0 0 :::631 :::* LISTEN


My intention is to be able to ssh (from the CLI, or using putty) into my system from where ever, and be able to print from my roaming laptop to the printer at home. Also of course, have the ability to surf the web, print locally and d/l from the desktop. (The machine the logs above are from)
ianw1974
Nov 6 2006, 06:58 PM
Hmm, your port 22 looks different to mine:

CODE
[ian@esprit ~]$ netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN
tcp        0      0 10.1.1.2:48144              72.14.205.83:80             ESTABLISHED


mine is listening on all, yours is listening restricted on your IP address only. Although that shouldn't be a problem.

Have you tried using ssh locally and does it work OK? Can you connect without problems?
tyme
Nov 6 2006, 07:20 PM
ian: i don't think he has a problem with SSH working, if I read the OP correctly it seems he's concerned about intruders.

To help secure your ssh I would follow these steps. I would check you sshd logs in /var/logs, it will show attempts to access your system via ssh and whether they failed or were successful, just search for successes since isn't the easiest to parse through.

This has some helpful tips too. Especially about using keys instead of username/password. You can carry your key on a usb drive so where ever you are you have it.

ian: you should specify an IP address in sshd_config, don't use 0.0.0.0 - see my first link for information on it.
riseringseeker
Nov 6 2006, 07:50 PM
QUOTE (ianw1974 @ Nov 6 2006, 12:58 PM) *
Hmm, your port 22 looks different to mine:

CODE
[ian@esprit ~]$ netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN
tcp        0      0 10.1.1.2:48144              72.14.205.83:80             ESTABLISHED


mine is listening on all, yours is listening restricted on your IP address only. Although that shouldn't be a problem.

Have you tried using ssh locally and does it work OK? Can you connect without problems?


It works both locally, and over the internet for listed users. Being on the local network I have not been able log in using the domain name, or the "real" IP address, but a friend who also uses Linux, and for whom I have setup an account has been able to connet from various places.

My concern isn't that it isn't working, but that it is not secure enough to keep the bad guys out.

QUOTE (tyme @ Nov 6 2006, 01:20 PM) *
ian: i don't think he has a problem with SSH working, if I read the OP correctly it seems he's concerned about intruders.


Correct.

QUOTE
To help secure your ssh I would follow these steps. I would check you sshd logs in /var/logs, it will show attempts to access your system via ssh and whether they failed or were successful, just search for successes since isn't the easiest to parse through.


I'll look at the link you provided when I get back from running errands, thanks

QUOTE
This has some helpful tips too. Especially about using keys instead of username/password. You can carry your key on a usb drive so where ever you are you have it.


Have an "authorized_keys2" on the laptop, and am not interested in accessing the home computer from elsewhere, though I do have a usb jump drive in case that ever is needed.
ianw1974
Nov 7 2006, 07:26 AM
Ah ok, I must have read it as being a problem when I posted yesterday. Sorry biggrin.gif
riseringseeker
Nov 7 2006, 01:58 PM
QUOTE (ianw1974 @ Nov 7 2006, 01:26 AM) *
Ah ok, I must have read it as being a problem when I posted yesterday. Sorry biggrin.gif


Not a problem. I have been told by a source I trust that nothing in the file looked overly suspicious to him, and he probed the ports that were open on my system with nmap, and saw nothing out of the ordinary.

CODE
nmap <IP_address>


So I am marking this one solved. though I still need to figure out why my system is unable to send mail to alert me to problems.
ianw1974
Nov 7 2006, 02:13 PM
Maybe port 25 is blocked by your isp. This can happen.
tyme
Nov 7 2006, 02:41 PM
QUOTE (ianw1974 @ Nov 7 2006, 09:13 AM) *
Maybe port 25 is blocked by your isp. This can happen.
mail from your system to your system doesn't leave your system wink.gif - and if you are sending the e-mail to a different address (not localhost), outbound ports usually aren't blocked by ISP's - especially e-mail, since it's such a common tool. probably opening up a terminal and running the command "mail" as user (or root, depending on your settings) may reveal some information...mandriva usually drops the email in a local mailbox by default, usually either your user or root.
ianw1974
Nov 7 2006, 02:43 PM
Ah, but it is cos he's sending it to google wink.gif

QUOTE
Nov 5 04:14:16 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)
Nov 5 04:14:19 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)
Nov 5 04:14:46 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25)
Nov 5 04:14:49 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25)
Nov 5 04:15:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.114]: Connection timed out (port 25)
Nov 5 04:15:19 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.114]: Connection timed out (port 25)
Nov 5 04:15:46 localhost postfix/smtp[17094]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25)
Nov 5 04:15:49 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25)
Nov 5 04:16:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.27]: Connection timed out (port 25)
Nov 5 04:16:16 localhost postfix/smtp[17094]: 213B969C95: to=<riseringseeker@gmail.com>, relay=none, delay=150,


and some isp's don't allow you to run your own smtp server wink.gif

I've found this myself unfortunately.
tyme
Nov 7 2006, 02:48 PM
Well that's retarded, because port 25 is necessary to send e-mail, even if you aren't running your own smtp server! Anytime you send e-mail (even from a simple e-mail client), it connects to port 25 of an smtp server somewhere in the world. Otherwise you wouldn't be able to send any e-mail.
ianw1974
Nov 7 2006, 02:52 PM
I know, I've tried running my own smtp server and it wouldn't send out to the internet, and it was configured perfectly fine.

Yet, my clients would work using an smtp server out on the internet. My isp obviously somehow knows I'm trying to run my own smtp server, and blocks it, than if I connect to one over the internet - be it my isp's smtp server, or my hosting providers smtp server.

So I don't know exactly how they manage to do it, but they do wall.gif

I have a feeling it's something that's blocked on my broadband connection to the ISP, whereas anything outside of this connection is OK.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.