|
-
February 22nd, 2005, 05:47 PM
#12
Junior Member
Suspicious Log files
i friends,
I think I found some clues to think that my system is hacked. But I do not know for sure.
I have copied some suspicous sections from my messages log file, apache access and error log files. Can you please check them and give me some hints. I know inspecting this content will be time consuming. So just check them if and when you guys have free time.
messages.log
===============
Feb 11 01:22:40 mail sshd[5384]: Could not reverse map address 80.96.93.222.
Feb 11 01:22:40 mail sshd(pam_unix)[5384]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=80.96.93.222 user=test
Feb 11 01:22:50 mail sshd[5384]: Failed password for test from 80.96.93.222 port 1178
Feb 11 01:22:58 mail sshd[5384]: Failed password for test from 80.96.93.222 port 1178
Feb 11 01:23:03 mail sshd[5384]: Accepted password for test from 80.96.93.222 port 1178
Feb 11 01:23:06 mail sshd(pam_unix)[5391]: session opened for user test by (uid=594)
Feb 14 10:58:33 mail modprobe: modprobe: Can't locate module char-major-10-134
Feb 15 11:05:35 mail syslogd: Printing partial message
Feb 15 11:05:35 mail 22>Feb 15 11:05:35 sendmail[2798]: j1F55ZTb002798: mail.w-advertise.com [81.255.114.13] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 15 11:05:35 mail
Feb 17 10:42:53 mail 22>Feb 17 10:42:53 sendmail[7447]: j1H4grTb007447: mail.w-advertise.com [81.255.114.13] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 17 10:42:53 mail
Feb 17 10:56:48 mail
Feb 17 10:56:48 mail syslogd: Printing partial message
Feb 17 10:56:48 mail
//Plz note this. I could not login as root. My password wasn't accepted.
//But how can the root users session get closed.
//***********************************************
Feb 17 11:03:01 mail sshd(pam_unix)[2905]: session closed for user root
//****************************************************
Feb 18 02:52:15 mail syslogd: Printing partial message
Feb 18 02:52:15 mail 22>Feb 18 02:52:15 sendmail[15542]: j1HKqFTb015542: mail.w-advertise.com [81.255.114.49] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apache access.log
====================
220.3.124.75 - - [10/Feb/2005:17:58:32 +0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1060 "-" "-"
66.249.64.79 - - [10/Feb/2005:16:14:34 +0600] "GET /englishReports.php HTTP/1.0" 304 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
66.249.71.61 - - [10/Feb/2005:17:41:01 +0600] "GET /allReports.php HTTP/1.0" 304 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
193.109.122.59 - - [14/Feb/2005:09:34:44 +0600] "CONNECT 193.109.122.67:6668 HTTP/1.0" 405 982 "-" "pxyscand/2.0"
203.94.95.111 - - [19/Feb/2005:18:17:33 +0600] "PROPFIND /reports/ HTTP/1.1" 405 990 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
207.46.98.141 - - [20/Feb/2005:04:27:02 +0600] "GET /robots.txt HTTP/1.0" 404 1059 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.141 - - [20/Feb/2005:04:27:02 +0600] "GET /circulars.htm HTTP/1.0" 404 1059 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
193.109.122.44 - - [20/Feb/2005:07:41:39 +0600] "CONNECT 193.109.122.67:6668 HTTP/1.0" 405 982 "-" "pxyscand/2.0"
220.247.246.9 - - [20/Feb/2005:08:44:56 +0600] "GET /smHeadOffice.jpg HTTP/1.1" 304 0 "http://cc.msnscache.com/cache.aspx?q=1039146196537&lang=en-US&FORM=CVRE" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
220.247.246.9 - - [20/Feb/2005:08:44:56 +0600] "GET /smBranches.jpg HTTP/1.1" 304 0 "http://cc.msnscache.com/cache.aspx?q=1039146196537&lang=en-US&FORM=CVRE" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
220.247.246.9 - - [20/Feb/2005:08:47:10 +0600] "PROPFIND /reports HTTP/1.1" 301 325 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
220.247.246.9 - - [20/Feb/2005:08:47:10 +0600] "PROPFIND /reports/ HTTP/1.1" 405 990 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
220.247.246.9 - - [20/Feb/2005:08:47:11 +0600] "PROPFIND /reports HTTP/1.1" 301 325 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
Apache error.log
================
[Fri Feb 11 10:25:45 2005] [error] [client 66.249.64.47] File does not exist: /var/www/html/robots.txt
[Fri Feb 11 11:16:17 2005] [warn] child process 1264 still did not exit, sending a SIGTERM
[Fri Feb 11 11:16:17 2005] [notice] caught SIGTERM, shutting down
[Fri Feb 11 11:16:20 2005] [notice] Digest: generating secret for digest authentication ...
[Fri Feb 11 11:16:20 2005] [notice] Digest: done
[Fri Feb 11 11:16:21 2005] [notice] Apache/2.0.40 (Red Hat Linux) configured -- resuming normal operations
[Fri Feb 11 11:16:27 2005] [notice] caught SIGTERM, shutting down
[Fri Feb 11 11:16:29 2005] [notice] Digest: generating secret for digest authentication ...
[Fri Feb 11 11:16:29 2005] [notice] Digest: done
[Fri Feb 11 11:16:30 2005] [notice] Apache/2.0.40 (Red Hat Linux) configured -- resuming normal operations
[Fri Feb 11 12:44:20 2005] [error] [client 66.249.66.38] File does not exist: /var/www/html/robots.txt
[Fri Feb 11 12:53:51 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
[Fri Feb 11 12:53:51 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
[Fri Feb 11 12:53:51 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
[Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
[Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
[Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
[Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
[Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
[Fri Feb 11 13:19:10 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
[Fri Feb 11 13:19:24 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
[Fri Feb 11 13:19:24 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
[Fri Feb 11 13:19:24 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
[Fri Feb 11 13:23:00 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_inf.html
[Fri Feb 11 13:23:00 2005] [error] [client 192.168.0.99] File does not exist: /var/www/html/_vti_bin
[Fri Feb 11 13:23:00 2005] [error] [client 192.168.0.99] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var
[Fri Feb 11 19:16:46 2005] [error] [client 195.92.95.61] File does not exist: /var/www/html/cobalt-images
[Fri Feb 11 20:08:58 2005] [error] [client 66.249.66.38] File does not exist: /var/www/html/robots.txt
[Sun Feb 13 04:02:09 2005] [notice] SIGHUP received. Attempting to restart
[Sun Feb 13 22:39:42 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/Forum
[Sun Feb 13 22:39:43 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/Forums
[Sun Feb 13 22:39:45 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/bb
[Sun Feb 13 22:39:47 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/ugboard
[Sun Feb 13 22:39:49 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/ugboards
[Sun Feb 13 22:39:49 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/ugboards
[Sun Feb 13 22:39:55 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/newboard
[Sun Feb 13 22:39:57 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/newboards
[Sun Feb 13 22:39:59 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/members
[Sun Feb 13 22:40:00 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/members
[Sun Feb 13 22:40:02 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/members
[Sun Feb 13 22:40:03 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/portal
[Sun Feb 13 22:40:05 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/portal
[Sun Feb 13 22:40:07 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/bbs
[Sun Feb 13 22:40:08 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/bulletinboard
[Sun Feb 13 22:40:10 2005] [error] [client 202.175.237.42] File does not exist: /var/www/html/bulletinboards
[Mon Feb 14 00:42:57 2005] [error] [client 207.46.98.141] File does not exist: /var/www/html/robots.txt
[Mon Feb 21 14:28:25 2005] [error] [client 220.247.240.88] File does not exist: /var/www/html/_vti_bin
Best Regards,
Chamal.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote