Made me rkhunter. What does
# getsebool ssh_use_tcpd
say? /etc/hosts.allow / deny may not be read anymore, some huge changes in
fedora phasing out wrappers only a couple months ago.
https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
wow, deprecated even. Must check my own setup.
> uid=0
my guess root with a lead pipe in the
Seychelles Islands looking for
bitcoins.
$ whois -h
whois.arin.net 156.251.130.170
[Querying
whois.arin.net]
[Redirected to
whois.afrinic.net]
[Querying
whois.afrinic.net]
[
whois.afrinic.net]
% This is the AfriNIC Whois server.
% The AFRINIC whois database is subject to the following terms of Use. See
https://afrinic.net/whois/terms
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '156.251.130.0 - 156.251.130.255'
% No abuse contact registered for 156.251.130.0 - 156.251.130.255
inetnum: 156.251.130.0 - 156.251.130.255
netname: GLOBALDATA_INVESTMENTS_INC
descr: GLOBALDATA INVESTMENTS INC
country: US
admin-c: CIS1-AFRINIC
tech-c: CIS1-AFRINIC
status: ASSIGNED PA
mnt-by: CIL1-MNT
source: AFRINIC # Filtered
parent: 156.224.0.0 - 156.255.255.255
person: Cloud Innovation Support
address: Ebene
address: MU
address: Mahe
address: Seychelles
phone: tel:+248-4-610-795
nic-hdl: CIS1-AFRINIC
abuse-mailbox: abuse(a)cloudinnovation.org
mnt-by: CIL1-MNT
source: AFRINIC # Filtered
On Mon, Aug 1, 2022 at 12:25 PM Gary <saclug(a)garymcglinn.com> wrote:
It looks like I've been hacked.
I came home after being away for 3 days to find my system had been
rebooted. I have other systems that were fine, so I knew it wasn't a power
glitch. My systems don't reboot if the power comes on. I checked my logs
and the reboot occured at about 11 PM on Friday.
Before that, for at least hours and possibly days, there were a lot of
login attempts. Some from users named terrorist, some that trace to Iran.
I checked the audit log and found this:
type=CRYPTO_KEY_USER msg=audit(1659374984.916:5741): pid=5877 uid=0
auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=?
direction=both spid=5878 suid=74 rport=51686 laddr=192.168.2.5 lport=23
exe="/usr/sbin/sshd" hostname=? addr=156.251.130.170 terminal=?
res=success'
type=CRYPTO_KEY_USER msg=audit(1659374984.917:5742): pid=5877 uid=0
auid=4294967295 ses=4294967295 msg='op=destroy kind=server
fp=b3:4d:28:a2:ce:77:2a:f8:58:21:75:95:d1:08:6d:26 direction=? spid=5877
suid=0 exe="/usr/sbin/sshd" hostname=? addr=156.251.130.170 terminal=?
res=success
It traces to Africa. And I run sshd on port 23. This is the only IP I've
found successful logins from. So, I've added a reject rule to the firewall.
It is interesting the journalctl only reports failed logins from this IP
since the reboot. Audit.log has the successes, but no timestamp. I'm not
sure why there should be continued failures from this address.
And now, I've got to start cleaning up.
And redoing with better security. Sigh.
-Gary
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com