Jump to content

Log files <solved>


riseringseeker
 Share

Recommended Posts

I recently have setup a ssh server that I will/am/should be able to access from anywhere in the world (I travel a lot!

 

I also got a domain name from https://www.dyndns.com/ to be able to follow my dynamic IP. Since I have done so I have seen quite a few attempts to log in from various parts of the world Pakistan, India, China, Korea. Until yesterday I believed the attempts to be unsuccessful. Looking at the logs yesterday and today though makes me wonder if I need to do something else to keep hackers off my computer.

 

Todays logs are much like yesterdays, with the exception noted at the bottom of the list. Another concern is that is as far back as I can view - logs prior to 11/05 are not there at all! I don't know if that is because the files were dropped normally as part of keeping them a reasonable size, or if it's something more nefarious.

 

clipped from todays logs (I was not on the system at all during this period of time):

 

Nov 6 04:13:20 localhost logger: Security Warning: There are modifications for port listening on your machine :

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.org:2208 *:* LISTEN 2031/hpiod

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:swat *:* LISTEN 3365/xinetd

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:nut *:* LISTEN 2941/upsd

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:48071 *:* LISTEN -

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.or:10026 *:* LISTEN 4120/master

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:netbios-ssn *:* LISTEN 3652/smbd

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:34444 *:* LISTEN 3481/rpc.statd

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:sunrpc *:* LISTEN 3198/portmap

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:x11 *:* LISTEN 3759/X

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:849 *:* LISTEN 3641/rpc.mountd

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 192.168.2.2:ssh *:* LISTEN 3530/sshd

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:ipp *:* LISTEN 2514/cupsd

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.org:smtp *:* LISTEN 4120/master

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.or:52378 *:* LISTEN 2454/python

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:7741 *:* LISTEN 5559/lisa

Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:microsoft-ds *:* LISTEN 3652/smbd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:32769 *:* 3401/avahi-daemon:

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:32772 *:* 3481/rpc.statd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:netbios-ns *:* 3716/nmbd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:netbios-ns *:* 3716/nmbd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:netbios-dgm *:* 3716/nmbd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:netbios-dgm *:* 3716/nmbd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:689 *:* 3481/rpc.statd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:7741 *:* 5559/lisa

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:846 *:* 3641/rpc.mountd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:5353 *:* 3401/avahi-daemon:

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:sunrpc *:* 3198/portmap

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:ipp *:* 2514/cupsd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:ntp *:* 3775/ntpd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 localhost.homelinux.org:ntp *:* 3775/ntpd

Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:ntp *:* 3775/ntpd

Nov 6 04:13:20 localhost logger: - Opened ports : raw 0 0 *:icmp *:* 7 5559/lisa

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.org:2208 *:* LISTEN 2046/hpiod

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:swat *:* LISTEN 3441/xinetd

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:nut *:* LISTEN 2981/upsd

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:58089 *:* LISTEN 3542/rpc.statd

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.or:10026 *:* LISTEN 4099/master

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:33386 *:* LISTEN -

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:netbios-ssn *:* LISTEN 3689/smbd

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.or:43918 *:* LISTEN 2490/python

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:sunrpc *:* LISTEN 3268/portmap

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:x11 *:* LISTEN 3743/X

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 192.168.2.2:ssh *:* LISTEN 3605/sshd

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:ipp *:* LISTEN 2570/cupsd

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.org:smtp *:* LISTEN 4099/master

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:954 *:* LISTEN 3756/rpc.mountd

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:7741 *:* LISTEN 5580/lisa

Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:microsoft-ds *:* LISTEN 3689/smbd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:32768 *:* 3528/avahi-daemon:

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:32770 *:* 3542/rpc.statd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:netbios-ns *:* 3841/nmbd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:netbios-ns *:* 3841/nmbd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:netbios-dgm *:* 3841/nmbd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:netbios-dgm *:* 3841/nmbd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:951 *:* 3756/rpc.mountd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:7741 *:* 5580/lisa

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:5353 *:* 3528/avahi-daemon:

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:kerberos-iv *:* 3542/rpc.statd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:sunrpc *:* 3268/portmap

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:ipp *:* 2570/cupsd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:ntp *:* 3779/ntpd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 localhost.homelinux.org:ntp *:* 3779/ntpd

Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:ntp *:* 3779/ntpd

Nov 6 04:13:20 localhost logger: - Closed ports : raw 0 0 *:icmp *:* 7 5580/lisa

Nov 6 04:13:24 localhost logger: Security Warning: World Writable files found :

Nov 6 04:13:24 localhost logger: - /home/karl/Funnies/Greatest_Movie_Line_Ever.wmv

Nov 6 04:13:24 localhost logger: - /home/karl/Funnies/Kosovo music video.wmv

Nov 6 04:13:24 localhost logger: - /tmp/.ICE-unix

Nov 6 04:13:24 localhost logger: - /tmp/.X11-unix

Nov 6 04:13:24 localhost logger: - /tmp/.X11-unix/X0

Nov 6 04:13:24 localhost logger: - /tmp/.font-unix

Nov 6 04:13:24 localhost logger: - /tmp/.font-unix/fs-1

Nov 6 04:13:24 localhost logger: - /var/lib/clamav/clamd.socket

Nov 6 04:13:24 localhost logger: - /var/lib/lock/sane

Nov 6 04:13:24 localhost logger: - /var/lib/texmf

Nov 6 04:13:24 localhost logger: - /var/lib/texmf/ls-R

Nov 6 04:13:24 localhost logger: - /var/run/acpid.socket

Nov 6 04:13:24 localhost logger: - /var/run/avahi-daemon/socket

Nov 6 04:13:24 localhost logger: - /var/run/dbus/system_dbus_socket

Nov 6 04:13:24 localhost logger: - /var/run/xdmctl/dmctl-:0/socket

Nov 6 04:13:24 localhost logger: - /var/run/xdmctl/dmctl/socket

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/dev/log

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/anvil

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/bounce

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-chroot

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-deliver

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-inet

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/defer

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/discard

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/error

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/lmtp

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/lmtp-filter

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/local

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/maildrop

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/proxymap

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/relay

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/rewrite

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/scache

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/smtp

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/smtp-filter

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/tlsmgr

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/trace

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/uucp

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/verify

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/virtual

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/cleanup

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/flush

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/pickup

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/qmgr

Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/showq

Nov 6 04:13:24 localhost logger: - /var/spool/samba

Nov 6 04:13:24 localhost logger: Security Warning: /etc/shadow check :

Nov 6 04:13:24 localhost logger: - /etc/shadow:30: User "guest" has no password !

Nov 6 04:13:24 localhost logger: Security Warning: These files belonging to packages are modified on the system :

Nov 6 04:13:24 localhost logger: - /boot/message-graphic

Nov 6 04:13:24 localhost logger: - /usr/lib/gconv/gconv- modules.cache

Nov 6 04:13:24 localhost logger: - /usr/lib/nvu-1.0/chrome/overlayinfo/editor/content/overlays.rdf

Nov 6 04:13:24 localhost logger: - /usr/share/X11/icewm/menu

Nov 6 04:13:24 localhost logger: - /usr/share/a2ps/afm/fonts.map

Nov 6 04:13:24 localhost logger: - /usr/share/applications/defaults.list

Nov 6 04:13:24 localhost logger: - /usr/share/applications/gaim.desktop

Nov 6 04:13:24 localhost logger: - /usr/share/doc/HTML/index.html

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/100dpi/fonts.dir

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/100dpi/fonts.scale

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/75dpi/fonts.dir

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/75dpi/fonts.scale

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/OTF/fonts.dir

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/OTF/fonts.scale

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Speedo/fonts.dir

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Speedo/fonts.scale

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/TTF/fonts.dir

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/TTF/fonts.scale

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Type1/fonts.dir

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Type1/fonts.scale

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/cyrillic/fonts.dir

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/cyrillic/fonts.scale

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/misc/fonts.dir

Nov 6 04:13:24 localhost logger: - /usr/share/fonts/misc/fonts.scale

Nov 6 04:13:24 localhost logger: - /usr/share/texmf/ls-R

Nov 6 04:13:24 localhost logger: - /var/lib/mandriva/kde-profiles/common/share/config/kdesktoprc

Nov 6 04:13:24 localhost logger: - /var/lib/mandriva/kde-profiles/common/share/config/konquerorrc

Nov 6 04:13:24 localhost logger: Security Warning: These config files belonging to packages are modified on the system :

Nov 6 04:13:24 localhost logger: - /etc/X11/fs/config

Nov 6 04:13:24 localhost logger: - /etc/X11/imwheel/startup.conf

Nov 6 04:13:24 localhost logger: - /etc/cups/cupsd.conf

Nov 6 04:13:24 localhost logger: - /etc/exports

Nov 6 04:13:24 localhost logger: - /etc/firefox.cfg

Nov 6 04:13:24 localhost logger: - /etc/host.conf

Nov 6 04:13:24 localhost logger: - /etc/info-dir

Nov 6 04:13:24 localhost logger: - /etc/inittab

Nov 6 04:13:24 localhost logger: - /etc/kde/kdm/kdmrc

Nov 6 04:13:24 localhost logger: - /etc/kderc

Nov 6 04:13:24 localhost logger: - /etc/login.defs

Nov 6 04:13:24 localhost logger: - /etc/modprobe.conf

Nov 6 04:13:24 localhost logger: - /etc/modprobe.preload

Nov 6 04:13:24 localhost logger: - /etc/mozpluggerrc

Nov 6 04:13:24 localhost logger: - /etc/mtools.conf

Nov 6 04:13:24 localhost logger: - /etc/ntp.conf

Nov 6 04:13:24 localhost logger: - /etc/pam.d/system-auth

Nov 6 04:13:24 localhost logger: - /etc/printcap

Nov 6 04:13:24 localhost logger: - /etc/qtrc

Nov 6 04:13:24 localhost logger: - /etc/rpm/macros

Nov 6 04:13:24 localhost logger: - /etc/samba/smb.conf

Nov 6 04:13:24 localhost logger: - /etc/sane.d/dll.conf

Nov 6 04:13:24 localhost logger: - /etc/shells

Nov 6 04:13:24 localhost logger: - /etc/shorewall/interfaces

Nov 6 04:13:24 localhost logger: - /etc/shorewall/policy

Nov 6 04:13:24 localhost logger: - /etc/shorewall/rules

Nov 6 04:13:24 localhost logger: - /etc/shorewall/start

Nov 6 04:13:24 localhost logger: - /etc/shorewall/stop

Nov 6 04:13:24 localhost logger: - /etc/shorewall/zones

Nov 6 04:13:24 localhost logger: - /etc/ssh/ssh_config

Nov 6 04:13:24 localhost logger: - /etc/ssh/sshd_config

Nov 6 04:13:24 localhost logger: - /etc/sudoers

Nov 6 04:13:24 localhost logger: - /etc/sysconfig/bootsplash

Nov 6 04:13:24 localhost logger: - /etc/sysconfig/firstboot

Nov 6 04:13:24 localhost logger: - /etc/sysconfig/harddrake2/kernel

Nov 6 04:13:24 localhost logger: - /etc/sysconfig/harddrake2/previous_hw

Nov 6 04:13:24 localhost logger: - /etc/sysconfig/msec

Nov 6 04:13:24 localhost logger: - /etc/sysconfig/syslog

Nov 6 04:13:24 localhost logger: - /etc/sysconfig/usb

Nov 6 04:13:24 localhost logger: - /etc/sysctl.conf

Nov 6 04:13:24 localhost logger: - /etc/syslog.conf

Nov 6 04:13:24 localhost logger: - /etc/ups/ups.conf

Nov 6 04:13:24 localhost logger: - /etc/xinetd.d/saned

Nov 6 04:13:24 localhost logger: - /etc/xinetd.d/swat

Nov 6 04:13:24 localhost logger: - /etc/xml/catalog

Nov 6 04:13:24 localhost logger: - /usr/share/sgml/docbook/xmlcatalog

Nov 6 04:13:24 localhost logger: - /var/lib/clamav/daily.cvd

Nov 6 04:13:24 localhost logger: - /var/lib/clamav/main.cvd

Nov 6 04:13:24 localhost logger: Chkrootkit report:

Nov 6 04:13:24 localhost logger: ROOTDIR is `/'

Nov 6 04:13:24 localhost logger: Checking `amd'... not found

Nov 6 04:13:24 localhost logger: Checking `basename'... not infected

Nov 6 04:13:24 localhost logger: Checking `biff'... not found

Nov 6 04:13:24 localhost logger: Checking `chfn'... not infected

Nov 6 04:13:24 localhost logger: Checking `chsh'... not infected

Nov 6 04:13:24 localhost logger: Checking `cron'... not infected

Nov 6 04:13:24 localhost logger: Checking `date'... not infected

Nov 6 04:13:24 localhost logger: Checking `du'... not infected

Nov 6 04:13:24 localhost logger: Checking `dirname'... not infected

Nov 6 04:13:24 localhost logger: Checking `echo'... not infected

Nov 6 04:13:24 localhost logger: Checking `egrep'... not infected

Nov 6 04:13:24 localhost logger: Checking `env'... not infected

Nov 6 04:13:24 localhost logger: Checking `find'... not infected

Nov 6 04:13:24 localhost logger: Checking `fingerd'... not found

Nov 6 04:13:24 localhost logger: Checking `gpm'... not found

Nov 6 04:13:24 localhost logger: Checking `grep'... not infected

Nov 6 04:13:24 localhost logger: Checking `hdparm'... not infected

Nov 6 04:13:24 localhost logger: Checking `su'... not infected

Nov 6 04:13:24 localhost logger: Checking `ifconfig'... not infected

Nov 6 04:13:24 localhost logger: Checking `inetd'... not tested

Nov 6 04:13:24 localhost logger: Checking `inetdconf'... not found

Nov 6 04:13:24 localhost logger: Checking `identd'... not found

Nov 6 04:13:24 localhost logger: Checking `init'... not infected

Nov 6 04:13:24 localhost logger: Checking `killall'... not infected

Nov 6 04:13:24 localhost logger: Checking `ldsopreload'... not infected

Nov 6 04:13:24 localhost logger: Checking `login'... not infected

Nov 6 04:13:24 localhost logger: Checking `ls'... not infected

Nov 6 04:13:24 localhost logger: Checking `lsof'... not infected

Nov 6 04:13:24 localhost logger: Checking `mail'... not infected

Nov 6 04:13:24 localhost logger: Checking `mingetty'... not infected

Nov 6 04:13:24 localhost logger: Checking `netstat'... not infected

Nov 6 04:13:24 localhost logger: Checking `named'... not found

Nov 6 04:13:24 localhost logger: Checking `passwd'... not infected

Nov 6 04:13:24 localhost logger: Checking `pidof'... not infected

Nov 6 04:13:24 localhost logger: Checking `pop2'... not found

Nov 6 04:13:24 localhost logger: Checking `pop3'... not found

Nov 6 04:13:24 localhost logger: Checking `ps'... not infected

Nov 6 04:13:24 localhost logger: Checking `pstree'... not infected

Nov 6 04:13:24 localhost logger: Checking `rpcinfo'... not infected

Nov 6 04:13:24 localhost logger: Checking `rlogind'... not found

Nov 6 04:13:24 localhost logger: Checking `rshd'... not found

Nov 6 04:13:24 localhost logger: Checking `slogin'... not infected

Nov 6 04:13:24 localhost logger: Checking `sendmail'... not infected

Nov 6 04:13:24 localhost logger: Checking `sshd'... not infected

Nov 6 04:13:24 localhost logger: Checking `syslogd'... not infected

Nov 6 04:13:24 localhost logger: Checking `tar'... not infected

Nov 6 04:13:24 localhost logger: Checking `tcpd'... not infected

Nov 6 04:13:24 localhost logger: Checking `tcpdump'... not infected

Nov 6 04:13:24 localhost logger: Checking `top'... not infected

Nov 6 04:13:24 localhost logger: Checking `telnetd'... not found

Nov 6 04:13:24 localhost logger: Checking `timed'... not found

Nov 6 04:13:24 localhost logger: Checking `traceroute'... not infected

Nov 6 04:13:24 localhost logger: Checking `vdir'... not infected

Nov 6 04:13:24 localhost logger: Checking `w'... not infected

Nov 6 04:13:24 localhost logger: Checking `write'... not infected

Nov 6 04:13:24 localhost logger: Checking `aliens'... no suspect files

Nov 6 04:13:24 localhost logger: Searching for sniffer's logs, it may take a while... nothing found

Nov 6 04:13:24 localhost logger: Searching for HiDrootkit's default dir... nothing found

Nov 6 04:13:24 localhost logger: Searching for t0rn's default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for t0rn's v8 defaults... nothing found

Nov 6 04:13:24 localhost logger: Searching for Lion Worm default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for RSHA's default files and dir... nothing found

Nov 6 04:13:24 localhost logger: Searching for RH-Sharpe's default files... nothing found

Nov 6 04:13:24 localhost logger: Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for suspicious files and dirs, it may take a while...

Nov 6 04:13:24 localhost logger: /usr/lib/ooo- 2.0/program/.testtoolrc

Nov 6 04:13:24 localhost logger: Searching for LPD Worm files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for Ramen Worm files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for Maniac files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for RK17 files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for Ducoci rootkit... nothing found

Nov 6 04:13:24 localhost logger: Searching for Adore Worm... nothing found

Nov 6 04:13:24 localhost logger: Searching for ShitC Worm... nothing found

Nov 6 04:13:24 localhost logger: Searching for Omega Worm... nothing found

Nov 6 04:13:24 localhost logger: Searching for Sadmind/IIS Worm... nothing found

Nov 6 04:13:24 localhost logger: Searching for MonKit... nothing found

Nov 6 04:13:24 localhost logger: Searching for Showtee... nothing found

Nov 6 04:13:24 localhost logger: Searching for OpticKit... nothing found

Nov 6 04:13:24 localhost logger: Searching for T.R.K... nothing found

Nov 6 04:13:24 localhost logger: Searching for Mithra... nothing found

Nov 6 04:13:24 localhost logger: Searching for OBSD rk v1... nothing found

Nov 6 04:13:24 localhost logger: Searching for LOC rootkit... nothing found

Nov 6 04:13:24 localhost logger: Searching for Romanian rootkit... nothing found

Nov 6 04:13:24 localhost logger: Searching for HKRK rootkit... nothing found

Nov 6 04:13:24 localhost logger: Searching for Suckit rootkit... nothing found

Nov 6 04:13:24 localhost logger: Searching for Volc rootkit... nothing found

Nov 6 04:13:24 localhost logger: Searching for Gold2 rootkit... nothing found

Nov 6 04:13:24 localhost logger: Searching for TC2 Worm default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for Anonoying rootkit default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for ZK rootkit default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for ShKit rootkit default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for AjaKit rootkit default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for zaRwT rootkit default files and dirs... nothing found

Nov 6 04:13:24 localhost logger: Searching for Madalin rootkit default files... nothing found

Nov 6 04:13:24 localhost logger: Searching for Fu rootkit default files... nothing found

Nov 6 04:13:24 localhost logger: Searching for ESRK rootkit default files... nothing found

Nov 6 04:13:24 localhost logger: Searching for rootedoor... nothing found

Nov 6 04:13:24 localhost logger: Searching for anomalies in shell history files... nothing found

Nov 6 04:13:24 localhost logger: Checking `asp'... not infected

Nov 6 04:13:24 localhost logger: Checking `bindshell'... not infected

Nov 6 04:13:24 localhost logger: Checking `lkm'... Checking `rexedcs'... not found

Nov 6 04:13:24 localhost logger: Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets

Nov 6 04:13:24 localhost logger: Checking `w55808'... not infected

Nov 6 04:13:24 localhost logger: Checking `wted'... chkwtmp: nothing deleted

Nov 6 04:13:24 localhost logger: Checking `scalper'... not infected

Nov 6 04:13:24 localhost logger: Checking `slapper'... not infected

Nov 6 04:13:24 localhost logger: Checking `z2'... chklastlog: nothing deleted

Nov 6 04:13:24 localhost logger: Checking `chkutmp'... The tty of the following user process(es) were not found

Nov 6 04:13:24 localhost logger: in /var/run/utmp !

Nov 6 04:13:24 localhost logger: ! RUID PID TTY CMD

Nov 6 04:13:24 localhost logger: ! root 3759 tty7 /etc/X11/X -br -deferglyphs 16 :0 vt7 -auth /var/run/xauth/A:0-ZgK1i3

Nov 6 04:13:24 localhost logger: chkutmp: nothing deleted

 

The odd thing about yesterdays logs were numerous entries like this:

 

Nov 5 04:14:16 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)

Nov 5 04:14:19 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)

Nov 5 04:14:46 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25)

Nov 5 04:14:49 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25)

Nov 5 04:15:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.114]: Connection timed out (port 25)

Nov 5 04:15:19 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.114]: Connection timed out (port 25)

Nov 5 04:15:46 localhost postfix/smtp[17094]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25)

Nov 5 04:15:49 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25)

Nov 5 04:16:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.27]: Connection timed out (port 25)

Nov 5 04:16:16 localhost postfix/smtp[17094]: 213B969C95: to=<riseringseeker@gmail.com>, relay=none, delay=150,

 

Any ideas anyone?

Edited by riseringseeker
Link to comment
Share on other sites

Your logs should be rotated by a job in /etc/cron.daily called logrotate. This is maybe why you cannot see prior to a certain date. However, you should see examples of the same logfile with .1, .2, .3 at the end and so on. These are normally archives of tar.gz or something.

 

Those last entries seem to be postfix - your smtp server trying to send emails to your gmail account but failing to connect.

 

As for sshd, see if it's running with:

 

netstat -tan

 

and look for port 22.

Link to comment
Share on other sites

Your logs should be rotated by a job in /etc/cron.daily called logrotate. This is maybe why you cannot see prior to a certain date. However, you should see examples of the same logfile with .1, .2, .3 at the end and so on. These are normally archives of tar.gz or something.

 

OK, found those, not sure how to set to keep logs viewable in mcc any longer than they are, but at least that is one concern down!

 

Those last entries seem to be postfix - your smtp server trying to send emails to your gmail account but failing to connect.

 

Now that I think of it, I do have it set to send e-mail in the event of evil things happening to my system. I guess I need to change e-mail addresses which it sends to, or figure out how to get that one to work.

 

As for sshd, see if it's running with:

 

netstat -tan

 

and look for port 22.

 

Yes, it's running, out put at the moment is:

 

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:3493 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:48071 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:34444 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:849 0.0.0.0:* LISTEN

tcp 0 0 192.168.2.2:22 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:52378 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN

tcp 0 0 192.168.2.2:33644 64.233.163.83:80 ESTABLISHED

tcp 1 0 127.0.0.1:53907 127.0.0.1:631 CLOSE_WAIT

tcp 1 0 127.0.0.1:40544 127.0.0.1:631 CLOSE_WAIT

tcp 1 0 127.0.0.1:40549 127.0.0.1:631 CLOSE_WAIT

tcp 1 0 127.0.0.1:59550 127.0.0.1:631 CLOSE_WAIT

tcp 1 0 127.0.0.1:59545 127.0.0.1:631 CLOSE_WAIT

tcp 0 0 :::6000 :::* LISTEN

tcp 0 0 :::631 :::* LISTEN

 

My intention is to be able to ssh (from the CLI, or using putty) into my system from where ever, and be able to print from my roaming laptop to the printer at home. Also of course, have the ability to surf the web, print locally and d/l from the desktop. (The machine the logs above are from)

Link to comment
Share on other sites

Hmm, your port 22 looks different to mine:

 

[ian@esprit ~]$ netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address			   Foreign Address			 State
tcp		0	  0 0.0.0.0:22				  0.0.0.0:*				   LISTEN
tcp		0	  0 127.0.0.1:631			   0.0.0.0:*				   LISTEN
tcp		0	  0 10.1.1.2:48144			  72.14.205.83:80			 ESTABLISHED

 

mine is listening on all, yours is listening restricted on your IP address only. Although that shouldn't be a problem.

 

Have you tried using ssh locally and does it work OK? Can you connect without problems?

Link to comment
Share on other sites

ian: i don't think he has a problem with SSH working, if I read the OP correctly it seems he's concerned about intruders.

 

To help secure your ssh I would follow these steps. I would check you sshd logs in /var/logs, it will show attempts to access your system via ssh and whether they failed or were successful, just search for successes since isn't the easiest to parse through.

 

This has some helpful tips too. Especially about using keys instead of username/password. You can carry your key on a usb drive so where ever you are you have it.

 

ian: you should specify an IP address in sshd_config, don't use 0.0.0.0 - see my first link for information on it.

Link to comment
Share on other sites

Hmm, your port 22 looks different to mine:

 

[ian@esprit ~]$ netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address			   Foreign Address			 State
tcp		0	  0 0.0.0.0:22				  0.0.0.0:*				   LISTEN
tcp		0	  0 127.0.0.1:631			   0.0.0.0:*				   LISTEN
tcp		0	  0 10.1.1.2:48144			  72.14.205.83:80			 ESTABLISHED

 

mine is listening on all, yours is listening restricted on your IP address only. Although that shouldn't be a problem.

 

Have you tried using ssh locally and does it work OK? Can you connect without problems?

 

It works both locally, and over the internet for listed users. Being on the local network I have not been able log in using the domain name, or the "real" IP address, but a friend who also uses Linux, and for whom I have setup an account has been able to connet from various places.

 

My concern isn't that it isn't working, but that it is not secure enough to keep the bad guys out.

 

ian: i don't think he has a problem with SSH working, if I read the OP correctly it seems he's concerned about intruders.

 

Correct.

 

To help secure your ssh I would follow these steps. I would check you sshd logs in /var/logs, it will show attempts to access your system via ssh and whether they failed or were successful, just search for successes since isn't the easiest to parse through.

 

I'll look at the link you provided when I get back from running errands, thanks

 

This has some helpful tips too. Especially about using keys instead of username/password. You can carry your key on a usb drive so where ever you are you have it.

 

Have an "authorized_keys2" on the laptop, and am not interested in accessing the home computer from elsewhere, though I do have a usb jump drive in case that ever is needed.

Link to comment
Share on other sites

Ah ok, I must have read it as being a problem when I posted yesterday. Sorry :D

 

Not a problem. I have been told by a source I trust that nothing in the file looked overly suspicious to him, and he probed the ports that were open on my system with nmap, and saw nothing out of the ordinary.

 

nmap <IP_address>

 

So I am marking this one solved. though I still need to figure out why my system is unable to send mail to alert me to problems.

Link to comment
Share on other sites

Maybe port 25 is blocked by your isp. This can happen.
mail from your system to your system doesn't leave your system ;) - and if you are sending the e-mail to a different address (not localhost), outbound ports usually aren't blocked by ISP's - especially e-mail, since it's such a common tool. probably opening up a terminal and running the command "mail" as user (or root, depending on your settings) may reveal some information...mandriva usually drops the email in a local mailbox by default, usually either your user or root.
Link to comment
Share on other sites

Ah, but it is cos he's sending it to google ;)

 

Nov 5 04:14:16 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)

Nov 5 04:14:19 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)

Nov 5 04:14:46 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25)

Nov 5 04:14:49 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25)

Nov 5 04:15:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.114]: Connection timed out (port 25)

Nov 5 04:15:19 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.114]: Connection timed out (port 25)

Nov 5 04:15:46 localhost postfix/smtp[17094]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25)

Nov 5 04:15:49 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25)

Nov 5 04:16:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.27]: Connection timed out (port 25)

Nov 5 04:16:16 localhost postfix/smtp[17094]: 213B969C95: to=<riseringseeker@gmail.com>, relay=none, delay=150,

 

and some isp's don't allow you to run your own smtp server ;)

 

I've found this myself unfortunately.

Link to comment
Share on other sites

Well that's retarded, because port 25 is necessary to send e-mail, even if you aren't running your own smtp server! Anytime you send e-mail (even from a simple e-mail client), it connects to port 25 of an smtp server somewhere in the world. Otherwise you wouldn't be able to send any e-mail.

Link to comment
Share on other sites

I know, I've tried running my own smtp server and it wouldn't send out to the internet, and it was configured perfectly fine.

 

Yet, my clients would work using an smtp server out on the internet. My isp obviously somehow knows I'm trying to run my own smtp server, and blocks it, than if I connect to one over the internet - be it my isp's smtp server, or my hosting providers smtp server.

 

So I don't know exactly how they manage to do it, but they do :wall:

 

I have a feeling it's something that's blocked on my broadband connection to the ISP, whereas anything outside of this connection is OK.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...