gehackter: LOG Frage

Beitrag lesen

SELF-Forum

LOG Frage

gehackter
Informationen zu den Bewertungsregeln

hallo,

ich hätte mal eine Frage zur auth log

Aug 10 14:12:19 HOST sshd[20740]: error: Could not get shadow information for NOUSER
Aug 10 14:12:19 HOST sshd[20740]: Failed password for illegal user test1 from 80.96.72.66 port 3274 ssh2
Aug 10 14:12:24 HOST last message repeated 2 times
Aug 10 14:12:25 HOST sshd[20740]: debug1: do_cleanup
Aug 10 14:12:25 HOST sshd[20740]: debug1: PAM: cleanup
Aug 10 14:12:37 HOST sshd[3495]: debug1: Forked child 20758.
Aug 10 14:12:37 HOST sshd[20758]: Connection from 80.96.72.66 port 3281
Aug 10 14:12:37 HOST sshd[20758]: debug1: Client protocol version 2.0; client software version PuTTY
Aug 10 14:12:37 HOST sshd[20758]: debug1: no match: PuTTY
Aug 10 14:12:37 HOST sshd[20758]: debug1: Enabling compatibility mode for protocol 2.0
Aug 10 14:12:37 HOST sshd[20758]: debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
Aug 10 14:12:43 HOST sshd[20758]: debug1: PAM: initializing for "test"
Aug 10 14:12:43 HOST sshd[20758]: reverse mapping checking getaddrinfo for 80-96-72-66.rdsnet.ro failed - POSSIBLE BREAKIN ATTEMPT!
Aug 10 14:12:43 HOST sshd[20758]: debug1: PAM: setting PAM_RHOST to "80.96.72.66"
Aug 10 14:12:43 HOST sshd[20758]: debug1: PAM: setting PAM_TTY to "ssh"
Aug 10 14:12:43 HOST sshd[20758]: Failed password for test from 80.96.72.66 port 3281 ssh2
Aug 10 14:12:55 HOST last message repeated 4 times
Aug 10 14:12:57 HOST sshd[20758]: Accepted password for test from 80.96.72.66 port 3281 ssh2
Aug 10 14:12:57 HOST sshd[20758]: debug1: monitor_child_preauth: test has been authenticated by privileged process
Aug 10 14:12:57 HOST sshd[20779]: (pam_unix) session opened for user test by (uid=0)
Aug 10 14:12:57 HOST sshd[20779]: debug1: PAM: reinitializing credentials
Aug 10 14:12:57 HOST sshd[20779]: debug1: permanently_set_uid: 1037/100
Aug 10 14:12:57 HOST sshd[20779]: debug1: Entering interactive session for SSH2.
Aug 10 14:12:57 HOST sshd[20779]: debug1: server_init_dispatch_20
Aug 10 14:12:57 HOST sshd[20779]: debug1: server_input_channel_open: ctype session rchan 100 win 32768 max 16384
Aug 10 14:12:57 HOST sshd[20779]: debug1: input_session_request
Aug 10 14:12:57 HOST sshd[20779]: debug1: channel 0: new [server-session]
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_new: init
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_new: session 0
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_open: channel 0
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_open: session 0: link with channel 0
Aug 10 14:12:57 HOST sshd[20779]: debug1: server_input_channel_open: confirm session
Aug 10 14:12:57 HOST sshd[20779]: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_by_channel: session 0 channel 0
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_input_channel_req: session 0 req pty-req
Aug 10 14:12:57 HOST sshd[20779]: debug1: Allocating pty.
Aug 10 14:12:57 HOST sshd[20758]: debug1: session_new: init
Aug 10 14:12:57 HOST sshd[20758]: debug1: session_new: session 0
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_pty_req: session 0 alloc /dev/pts/1
Aug 10 14:12:57 HOST sshd[20779]: debug1: server_input_channel_req: channel 0 request shell reply 1
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_by_channel: session 0 channel 0
Aug 10 14:12:57 HOST sshd[20779]: debug1: session_input_channel_req: session 0 req shell
Aug 10 14:12:57 HOST sshd[20779]: debug1: PAM: setting PAM_TTY to "/dev/pts/1"
Aug 10 14:12:57 HOST sshd[20780]: debug1: Setting controlling tty using TIOCSCTTY.
Aug 10 14:13:16 HOST sshd[20779]: debug1: server_input_channel_req: channel 0 request window-change reply 0
Aug 10 14:13:16 HOST sshd[20779]: debug1: session_by_channel: session 0 channel 0
Aug 10 14:13:16 HOST sshd[20779]: debug1: session_input_channel_req: session 0 req window-change
Aug 10 14:16:34 HOST su[21003]: + pts/1 root:root
Aug 10 14:16:34 HOST su[21003]: (pam_unix) session opened for user root by test(uid=0)

opened for user test by (uid=0)

ist das "by (uid=0)" normal?

Aug 10 14:16:34 HOST su[21003]: + pts/1 root:root
Aug 10 14:16:34 HOST su[21003]: (pam_unix) session opened for user root by test(uid=0)

ich frag mich, wie der user test so schnell zu root, mittels su, wurde
das root Passwort hatte mehrere Sonderzeichen

gibt es eine Möglichkeit herauszufinden, wie er es geschaft hat?

fragen über fragen ;-)

Beitrag melden
Informationen zu den Bewertungsregeln