ssh - suspicious logins root - Ask Ubuntu


i have noticed suspicious logins root account on server created new admin account , assigned root permissions account , disabled root account. had @ /var/log/auth.log file , can see there no more logins suspicious ip anymore showing: 

oct 25 06:06:01 serverhostname cron[10452]: pam_unix(cron:session):   session opened user root (uid=0) oct 25 06:06:01 serverhostname cron[10452]: pam_unix(cron:session): session closed user root

are these scheduled cron jobs? can these ignored?

the session entry due cron job running root. being spawned @ 06:06.

check relevant cron entries root , find out being run @ time exactly.

possible places at:

  • /etc/crontab
  • /etc/cron.d/*
  • /etc/cron.hourly/*
  • root's crontab: crontab -e root

if anacron not active:

  • /etc/cron.daily/*
  • /etc/cron.weekly/*
  • /etc/cron.monthly/*

just add, if system compromised before, stop using it, take backup (if needed), setup os again. later can analyze backed contents dig further regarding intrusion.


Comments

Post a Comment

Popular posts from this blog

download - Firefox cannot save files (most of the time), how to solve? - Super User

this not full duplicate of this question or this question , though base question same. however, questions have no answers. for on half year have problems downloading files firefox. when click on download link, download dialog opened asking me do, save or open it. immediately, there error/warning pop-up (twice, can see 1 @ first) ok button. looks this message : "c:\users\%user%\appdata\local\temp\wbbdv9k8.zip.part not saved because source file not read. try again later or contact server administrator." replace '%user%' name of user trying download. after closing pop-up, download dialog disappears , have minimize firefox , open again, see other pop-up. downloading exact same file internet explorer work, not desired. i tried solutions here . tried solutions here . tried disabling extensions. tried fixing permissions on temp folder. tried making files , folder in profile directory non-readonly. tried running firefox administrator. tried ...
Read more

windows - "-2146893807 NTE_NOT_FOUND" when repair certificate store - Super User

i try repair certificate store in windows 10 doing c:\windows\system32>certutil -store -user ‎330000019dba8d5dddb98062a900000000019d "personal" certutil: -store command failed: 0x80090011 (-2146893807 nte_not_found) certutil: object not found. i have double check mmc, certificate details serial number of certificate. still fail repair certificate store. can please help? i getting same error when trying export pfx. turns out had export c:\cert.pfx instead of cert.pfx (it trying export file cert store ( cert:\localmachine\my ).
Read more