ssh - suspicious logins root - Ask Ubuntu


i have noticed suspicious logins root account on server created new admin account , assigned root permissions account , disabled root account. had @ /var/log/auth.log file , can see there no more logins suspicious ip anymore showing: 

oct 25 06:06:01 serverhostname cron[10452]: pam_unix(cron:session):   session opened user root (uid=0) oct 25 06:06:01 serverhostname cron[10452]: pam_unix(cron:session): session closed user root

are these scheduled cron jobs? can these ignored?

the session entry due cron job running root. being spawned @ 06:06.

check relevant cron entries root , find out being run @ time exactly.

possible places at:

  • /etc/crontab
  • /etc/cron.d/*
  • /etc/cron.hourly/*
  • root's crontab: crontab -e root

if anacron not active:

  • /etc/cron.daily/*
  • /etc/cron.weekly/*
  • /etc/cron.monthly/*

just add, if system compromised before, stop using it, take backup (if needed), setup os again. later can analyze backed contents dig further regarding intrusion.


Comments

Post a Comment

Popular posts from this blog

Windows XP installation, no previous version of Windows NT - Super User

i tried reinstall windows xp on lenovo s10e netbook, got error: no previous version of windows nt can found on computer. setup cannot verify qualify install upgrade product. quit setup, press f3 this notebook has no optical drive, installing xp via usb pendrive. old post. answering anyways in hope nobody ever need information since xp long since dead. xp , addional drivers: in order access harddrive need drives mass storage , drivers hdd controller. first build xp. second might be. if driver on xp installation cd not need anything. if driver not on standard cd have @ least 2 choices: create custom cd addition drives (slipstream), or load driver during setup. instructed installation process 'press f6 load additional drives'. @ stage press f6 , insert floppy relevant driver. xp , ahci in past used many storage devices. sorts of scsi, esda, ata etc etc. of these need drivers. time xp reached sp3 home systems had moved ata interface , there...
Read more

permissions - Mount is denied because the NTFS volume is already exclusively opened - Ask Ubuntu

i got stuck with: mount denied because ntfs volume exclusively opened. volume may mounted, or software may use identified example of 'fuser' command. and when run mount command this: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) udev on /dev type devtmpfs (rw,nosuid,relatime,size=986036k,nr_inodes=214395,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=199708k,mode=755) /dev/sda9 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,re...
Read more

16.04 - Errors were encountered while processing in python - Ask Ubuntu

i'm using ubuntu 16.04 desktop , facing below error while apt-get operation : reading package lists... done building dependency tree reading state information... done 0 upgraded, 0 newly installed, 1 reinstalled, 0 remove , 0 not upgraded. 10 not installed or removed. need 0 b/224 kb of archives. after operation, 0 b of additional disk space used. (reading database ... 120416 files , directories installed.) preparing unpack .../python2.7_2.7.12-1~16.04_amd64.deb ... unpacking python2.7 (2.7.12-1~16.04) on (2.7.12-1~16.04) ... processing triggers mime-support (3.59ubuntu1) ... setting python3 (3.5.1-3) ... running python rtupdate hooks python3.5... dpkg-query: package 'hplip-data' not installed use dpkg --info (= dpkg-deb --info) examine archive files, , dpkg --contents (= dpkg-deb --contents) list contents. traceback (most recent call last): file "/usr/bin/py3clean", line 210, in <module> main() file "/usr/bin/py3clean", line 196, in ...
Read more