At the time of the compromise I can see in each
servers sshd logs an entry like the following:
Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
closed for user root
This is useful for scrubbing wtmp/utmp:
http://git.zx2c4.com/lastlog/tree/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hi,
I am taking a look at a few different servers that have been rooted at
around the same time. At the time of the compromise I can see in each
servers sshd logs an entry like the following:
Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Sep
... I can see in each servers sshd logs an entry like the following:
Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session closed
for user root
... seems odd that there is no
On 9/23/2011 4:42 AM, paul.sz...@sydney.edu.au wrote:
... I can see in each servers sshd logs an entry like the following:
Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
@lists.grok.org.uk
Sent: Friday, September 23, 2011 4:45 AM
Subject: [Full-disclosure] sshd logins without a source
Hi,
I am taking a look at a few different servers that have been rooted at
around the same time. At the time of the compromise I can see in each
servers sshd logs an entry like
Dear Laurelai,
I do not think that sshd normally logs its source. ... To produce the
desired log, I added to /etc/hosts.allow the line
sshd : all : spawn /usr/bin/logger -t%d[%p] Connection source %h port %r
Don't most modern Linux distros log sshd by default? If for whatever
reason yours
Hi all,
Thank you all for the suggestions.
The systems in question are all Debian based. A typical log stanza for a
login would be:
Sep 23 18:51:26 test sshd[25011]: Accepted publickey for root from
10.0.1.1 port 35398 ssh2
Sep 23 18:51:27 test sshd[25011]: pam_unix(sshd:session): session
On Fri, 23 Sep 2011 11:45:35 +0800, BH said:
Hi,
I am taking a look at a few different servers that have been rooted at
around the same time. At the time of the compromise I can see in each
servers sshd logs an entry like the following:
Sep 22 12:57:14 test-vm sshd[25002]:
On 9/23/2011 7:05 AM, paul.sz...@sydney.edu.au wrote:
Dear Laurelai,
I do not think that sshd normally logs its source. ... To produce the
desired log, I added to /etc/hosts.allow the line
sshd : all : spawn /usr/bin/logger -t%d[%p] Connection source %h port %r
Don't most modern Linux
Dear all,
I do not think that sshd normally logs its source. ...
Really? ...
Sorry about the confusion I may have caused. I guess my comments apply
to some older version sshd (or maybe old, wrong configs): surely that is
when, wanting better logs, I put in that hosts.allow logger. Perusing my
11 matches
Mail list logo