I decided to check the auth.log and started freaking out because I saw alot of POSSIBLE BREAK-IN lines. then I saw roon loging in so I was panicking. But as I really reviewed them it seems that the actual root logins were by CRON and the nobody logins were system related. Please look this over and give any advice and particularily what should I do.
Somewhere online said I should "boot with a root kit checker", feel free to advise on this. I do need to log in via putty via ssh alot so I cant totally disable it. I will beef up my password now and maybe change the port, but I need input on that please, or a good site. Thanks Norm Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user root by (uid=0) Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user root Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user root Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string from 66.212.18.86 Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo for alpha57.wqpax.net failed - POSSIBLE BREAK-IN ATTEMPT! Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.212.18.86 user=root Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from 66.212.18.86 port 41396 ssh2 Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo for alpha57.wqpax.net failed - POSSIBLE BREAK-IN ATTEMPT! rhost=66.212.18.86 then there is this, but it looks system related i think: Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user root Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user root by (uid=0) Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user root Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user root by (uid=0) Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user root Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user nobody by (uid=0) Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user nobody Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user nobody by (uid=0) Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user nobody Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user nobody by (uid=0) Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user nobody Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user nobody by (uid=0) Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user nobody Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user root by (uid=0) Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user root by (uid=0) Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user root Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user root Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user root by (uid=0) Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user root by (uid=0) Is there another log that would show a definate successful breakin? thanks Norm
