Made me rkhunter. What does
# getsebool ssh_use_tcpd
say? /etc/hosts.allow / deny may not be read anymore, some huge changes in fedora phasing out wrappers only a couple months ago.
https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
wow, deprecated even. Must check my own setup.

>> uid=0
my guess root with a lead pipe in the Seychelles Islands looking for bitcoins.

$ whois -h whois.arin.net 156.251.130.170
[Querying whois.arin.net]
[Redirected to whois.afrinic.net]
[Querying whois.afrinic.net]
[whois.afrinic.net]
% This is the AfriNIC Whois server.
% The AFRINIC whois database is subject to  the following terms of Use. See https://afrinic.net/whois/terms
% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.
% Information related to '156.251.130.0 - 156.251.130.255'
% No abuse contact registered for 156.251.130.0 - 156.251.130.255

inetnum:        156.251.130.0 - 156.251.130.255
netname:        GLOBALDATA_INVESTMENTS_INC
descr:          GLOBALDATA INVESTMENTS INC
country:        US
admin-c:        CIS1-AFRINIC
tech-c:         CIS1-AFRINIC
status:         ASSIGNED PA
mnt-by:         CIL1-MNT
source:         AFRINIC # Filtered
parent:         156.224.0.0 - 156.255.255.255

person:         Cloud Innovation Support
address:        Ebene
address:        MU
address:        Mahe
address:        Seychelles
phone:          tel:+248-4-610-795
nic-hdl:        CIS1-AFRINIC
abuse-mailbox:  abuse@cloudinnovation.org
mnt-by:         CIL1-MNT
source:         AFRINIC # Filtered

On Mon, Aug 1, 2022 at 12:25 PM Gary <saclug@garymcglinn.com> wrote:
It looks like I've been hacked.

I came home after being away for 3 days to find my system had been rebooted.  I have other systems that were fine, so I knew it wasn't a power glitch.  My systems don't reboot if the power comes on.  I checked my logs and the reboot occured at about 11 PM on Friday.

Before that, for at least hours and possibly days, there were a lot of login attempts.  Some from users named terrorist, some that trace to Iran.  I checked the audit log and found this:

type=CRYPTO_KEY_USER msg=audit(1659374984.916:5741): pid=5877 uid=0 auid=4294967295 ses=4294967295  msg='op=destroy kind=session fp=? direction=both spid=5878 suid=74 rport=51686 laddr=192.168.2.5 lport=23  exe="/usr/sbin/sshd" hostname=? addr=156.251.130.170 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1659374984.917:5742): pid=5877 uid=0 auid=4294967295 ses=4294967295  msg='op=destroy kind=server fp=b3:4d:28:a2:ce:77:2a:f8:58:21:75:95:d1:08:6d:26 direction=? spid=5877 suid=0  exe="/usr/sbin/sshd" hostname=? addr=156.251.130.170 terminal=? res=success

It traces to Africa.  And I run sshd on port 23.  This is the only IP I've found successful logins from.  So, I've added a reject rule to the firewall.

It is interesting the journalctl only reports failed logins from this IP since the reboot.  Audit.log has the successes, but no timestamp.  I'm not sure why there should be continued failures from this address.

And now, I've got to start cleaning up. 

And redoing with better security.  Sigh.

-Gary
_______________________________________________
Lug-nuts mailing list -- lug-nuts@bigbrie.com
To unsubscribe send an email to lug-nuts-leave@bigbrie.com