how did someone hack in my machine?
From: Tony (tandcwong@attbi.com)Date: 03/07/02
- Previous message: lamp@nyc.rr.com: "capturing ttys"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Tony" <tandcwong@attbi.com> Date: Thu, 07 Mar 2002 04:28:39 GMT
check this:
auth.log.1:Dec 25 06:25:01 goteach su[10587]: + ??? root-nobody
auth.log.1:Dec 25 06:25:01 goteach PAM_unix[10587]: (su) session opened for
user nobody by (uid=0)
auth.log.1:Dec 25 07:01:40 goteach sshd[10753]: Did not receive ident string
from 211.210.0.150.
auth.log.1:Dec 25 07:31:10 goteach sshd[412]: Generating new 768 bit RSA
key.
auth.log.1:Dec 25 07:31:10 goteach sshd[412]: RSA key generation complete.
auth.log.1:Dec 25 13:43:08 goteach sshd[10801]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:08 goteach sshd[10803]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:08 goteach sshd[10804]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:08 goteach sshd[10805]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:09 goteach sshd[10809]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:09 goteach sshd[10810]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:10 goteach sshd[10811]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:10 goteach sshd[10812]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:10 goteach sshd[10814]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:11 goteach sshd[10815]: Disconnecting: Corrupted
check bytes on input.
auth.log.1:Dec 25 13:43:11 goteach sshd[10817]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:15 goteach sshd[10819]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:22 goteach sshd[10822]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:26 goteach sshd[10824]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:30 goteach sshd[10826]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:35 goteach sshd[10828]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:37 goteach sshd[10830]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:38 goteach sshd[10833]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:38 goteach sshd[10834]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:38 goteach sshd[10835]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:41 goteach sshd[10854]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:45 goteach sshd[10878]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:46 goteach sshd[10881]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:46 goteach sshd[10882]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:46 goteach sshd[10883]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:51 goteach sshd[10914]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:52 goteach sshd[10915]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:52 goteach sshd[10916]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:54 goteach sshd[10929]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:54 goteach sshd[10930]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:43:54 goteach sshd[10931]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:44:00 goteach sshd[10962]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:44:00 goteach sshd[10963]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:44:00 goteach sshd[10964]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:44:02 goteach sshd[10974]: Disconnecting: crc32
compensation attack: network attack detected
auth.log.1:Dec 25 13:50:17 goteach sshd[412]: Received SIGHUP; restarting.
auth.log.1:Dec 25 13:50:17 goteach sshd[412]: RESTART FAILED: av0='sshd',
error: Permission denied.
auth.log.1:Dec 25 13:53:41 goteach su[11186]: + pts/0 root-nobody
auth.log.1:Dec 25 13:53:41 goteach PAM_unix[11186]: (su) session opened for
user nobody by (uid=0)
daemon.log.1:Dec 25 00:36:38 goteach identd[10504]: started
daemon.log.1:Dec 25 09:14:54 goteach wu-ftpd[10769]: connect from
130.60.208.58
daemon.log.1:Dec 25 09:41:28 goteach wu-ftpd[10772]: connect from
130.60.208.58
daemon.log.1:Dec 25 10:52:39 goteach wu-ftpd[10781]: connect from
AStrasbourg-202-1-2-138.abo.wanadoo.fr
daemon.log.1:Dec 25 12:52:06 goteach telnetd[10793]: connect from
web1.gj.net
daemon.log.1:Dec 25 12:52:26 goteach telnetd[10793]: ttloop: read:
Connection reset by peer
daemon.log.1:Dec 25 13:53:47 goteach identd[11192]: started
daemon.log.1:Dec 25 14:02:12 goteach identd[11201]: started
daemon.log.1:Dec 25 16:18:32 goteach wu-ftpd[11222]: connect from
B0309.pppool.de
daemon.log.1:Dec 25 18:53:20 goteach wu-ftpd[11239]: connect from
213.237.71.207.adsl.vg.worldonline.dk
daemon.log.1:Dec 25 20:33:27 goteach identd[11250]: started
daemon.log.1:Dec 25 20:57:28 goteach identd[11262]: started
daemon.log.1:Dec 25 21:45:50 goteach telnetd[11275]: connect from
1Cust34.tnt2.perris.ca.da.uu.net
daemon.log.1:Dec 25 21:53:52 goteach wu-ftpd[11280]: connect from
www.gis.minsk.by
Someone hack my debian box and replace some binaries. The one I found is
sshd. How the hell did they hack in?
What can you tell from this log?
- Next message: phn@icke-reklam.ipsec.nu: "Re: how did someone hack in my machine?"
- Previous message: lamp@nyc.rr.com: "capturing ttys"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
