Re: [Full-disclosure] sshd logins without a source



Hello,
http://packetstormsecurity.org/UNIX/penetration/log-wipers/indexdate.html


On 23/09/2011 05:45, BH wrote:
Hi,

I am taking a look at a few different servers that have been rooted at
around the same time. At the time of the compromise I can see in each
servers sshd logs an entry like the following:

Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
closed for user root

Each of the servers has the same sort of entry in the log that match
with the time that extra processes were being executed. Having a look at
all other available logs (that were logged remotely) I can't see
anything else that relates to the same event. To me it seems odd that
there is no IP address corresponding with the login, I can't seem to
reproduce that on my test servers. I also can't see the authentication
method used as that isn't logged. Has anyone seen this before and know
how this is done?

Thanks

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


begin:vcard
fn:Guillaume Friloux
n:Friloux;Guillaume
org:ASP64;R&D
email;internet:guillaume.friloux@xxxxxxxxx
title:Linux C Dev
x-mozilla-html:FALSE
version:2.1
end:vcard

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] targetted SSH bruteforce attacks
    ... Here's something I use on my servers. ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: User Auditing
    ... We have servers in our environment by which multiple people ... can issue commands as either themselves or as root. ... And the pam bit that logs keystrokes to auditd does log every keypress. ... Subject: User Auditing ...
    (RedHat)
  • Re: [Full-disclosure] psnhack - playstation network hack
    ... of Sony's servers. ... Subscribe to Full Disclosure using Google Reader ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: Bad news about Tor
    ... A "privacy service" would be ideal. ... Attack truly anonymous methods like Tor even though it ... keeps logs and lies about it, but got caught using them to track people ... Servers in the US are a lot safer that servers in most other places, ...
    (alt.privacy)
  • Re: system container in SMS 2003
    ... These logs don't show any AD publishing activity. ... "Publish servers in Active Directory" and subsequent log entries for ... >>> Then I went through and found the system management folder and didn't ...
    (microsoft.public.sms.setup)