Topic: POSSIBLE BREAKIN ATTEMPT

[Matt]

Help

I am quite new to e-smith and find these log files a bit confusing. I have just tried logging into the root account but my usual password does not work anymore so I checked the message log and found the following:

08:42:12 cranbrook sshd[20493]: reverse mapping checking getaddrinfo for 137-002.cbici.net failed - POSSIBLE BREAKIN ATTEMPT!
Aug 15 08:42:12 cranbrook sshd[20493]: Failed password for root from 192.217.137.2 port 1574 ssh2
Aug 15 08:42:13 cranbrook sshd[20495]: Illegal user test from 192.217.137.2
Aug 15 08:42:13 cranbrook sshd[20495]: reverse mapping checking getaddrinfo for 137-002.cbici.net failed - POSSIBLE BREAKIN ATTEMPT!
Aug 15 08:42:13 cranbrook sshd[20495]: Failed password for illegal user test from 192.217.137.2 port 1596 ssh2
Aug 15 08:42:47 cranbrook sshd[20497]: Accepted password for root from 194.102.145.11 port 1086
Aug 15 08:42:47 cranbrook sshd(pam_unix)[20499]: session opened for user root by root(uid=0)
Aug 15 08:46:52 cranbrook PAM_pwdb[20871]: password for (root/0) changed by ((null)/0)

I am guessing that someone has broken into my server and changed the root password.  Could anyone enlighten me about the above messages.  I guess there is nothing I can do but reinstall e-smith and use a more secure password and stop remote access.  
[/quote]

[raem]

Was your root passwword weak ?

[Matt]

Yes it was a pretty weak password, only letters and an eas to guess word, my own fault, so has someone really got in a changed things?

[raem]

> ......so has someone really got in a changed things?

You will need to review the logs to answer that question.


A search on
change root password
found this amongst many other posts. Learn to search

http://forums.contribs.org/index.php?topic=22842.0

[byte]

Hi,

You might wish to run the rkhunter to see if they modified any files or dropped anything in.

Do a search you will find lots of info

HTH