# Am I hacked or not?

## kanttu

Last autumn I made some serious mistakes: 

I) having sshd on public port 22 

II) having PermitRootLogin yes

I know these were serious issues and know I know better. I'm not asking any security tips at this point.

Few days ago I looked my /var/log/messages and there were about 27000 failed ssh logins from September 2005 until now. 

First I thought everythings is ok but then I analyzed that log and noticed that there weren't a single failed root login attempt. That is quite weird, not even one in 27000, I'd think root is the first one they would try to break.  

I also noticed this:

```
Oct 15 11:14:33 athlon64 sshd[11907]: Invalid user master from ::ffff:140.109.64.195

Oct 15 11:14:36 athlon64 sshd[11909]: Invalid user apache from ::ffff:140.109.64.195

Oct 15 11:14:57 athlon64 sshd[11925]: Invalid user admin from ::ffff:140.109.64.195

Oct 15 11:15:00 athlon64 sshd[11927]: Invalid user admin from ::ffff:140.109.64.195

```

As you can see, there are a huge gap between apache and admin, 20secs and 16 pids. 

When I did some googling I found some logs of similar attacts, the pattern did go like this: ... test, admin, guest, master, apache, root n times ..., admin, admin, ...

And that wasn't even the only time, there are plenty of similar events where it seems that I have lost some log. 

This is the last time and about 10 minutes before I noticed those hammering attemps and stopped my sshd

```
Jan  7 22:07:24 athlon64 sshd[12668]: Invalid user admin from 64.34.176.102

Jan  7 22:07:25 athlon64 sshd[12670]: Invalid user admin from 64.34.176.102

Jan  7 22:09:37 athlon64 sshd[12950]: Invalid user abuse from 64.34.176.102

Jan  7 22:09:38 athlon64 sshd[12952]: Invalid user support from 64.34.176.10
```

Like you see, a huge gap between admin and abuse.

So, is it likely that someone has hacked into my computer and removed all failed root login attempts from my /var/log/messages, even in 10 minute time frame like in that last case?

I don't have any other text log files but that /var/log/messages and after I discovered this I tried if it even logs any failed root login attempts but it does.

I have no idea why there aren't any in the /var/log/messages then.

I did check last root and I did run rkhunter and chkrootkit but nothing.

So is there any case to know for sure if I was hacked or not? The only clue for me are those missing failed root login entries in /var/log/messages.

Please help me if you have any knowledge, and even if you haven't please check that "test admin guest master apache" attack pattern for me from your log files.

This thing really troubles me and I'm unable to sleep anymore.  :Sad: 

----------

## xoomix

Doesn't look like you were hacked - I can't imagine a hacker smart enough to brute password hack as root into your system, remove all root failed attempts, but then leave his IP address from the other username attempts in the syslog file - if I were to do that my IP is the ONLY thing I'd try to cover -  :Razz: 

----------

## kanttu

I didn't say the hacker wouldn't remove his ip but remove all the failed root login attemps AND all the traces of his own ip. 

When I was talking at IRC few minutes ago some gentoo user told me he has got some hundreds of attacks in one week but none of them is root login attempt. 

I can't still believe that all the script kiddies have stoped hammering the root.

----------

## ningo

Looks like drones probing the subnet of your domain. Nothing to worry about, just usual 'internet traffic'.

----------

## kanttu

Thank you for your encourage but I was asking an explanation for all the missing failed root login attemps and gaps in /var/log/messages.

Is it possible that sshd just didn't write them up until now?

----------

## PaulBredbury

 *kanttu wrote:*   

> I can't still believe that all the script kiddies have stoped hammering the root.

 

Was the root password hackable? If it was something stupid like "root", then reinstall. If it was something safe like "sf4Gy7IP3f", then you are statistically safe.

If you have a nagging doubt in your mind, then reinstall. That's the only way to remove the doubt.

----------

## kanttu

My root password wasn't that simple like "root" or "password" but neither was it hard as "sf4Gy7IP3f" ... 

Can there be a bug in openssh which gives hackers a way to prevent root login attempts to be logged?

Like I said the latest possible root login attemps took their place 10 minutes before I closed my sshd, so I don't see it's likely that someone erased them in such a short time frame.

----------

## PaulBredbury

 *kanttu wrote:*   

> Can there be a bug in openssh which gives hackers a way to prevent root login attempts to be logged?

 

I don't see such a bug - if one were found, it would have high visibility, and the vulnerable versions would be removed from portage.

 *Quote:*   

> Like I said the latest possible root login attemps took their place 10 minutes before I closed my sshd, so I don't see it's likely that someone erased them in such a short time frame.

 

I don't think you can discern anything from the timings of the login attempts. That PC is probably trying lots of IP addresses simultaneously and randomly.

----------

## kanttu

I don't rely only on timing but sshd pid numbers, where there are a gap in time there are also a gap in pid numbers. This occurs most ly between attempts "apache" and "admin". 

If you want to analyze my whole sshd log yourself, here it is http://kanttu.emdia.fi/ssh.log 2.7Mb 

I made it with "grep -e ssh > ssh.log"

----------

## PaulBredbury

 *kanttu wrote:*   

> where there are a gap in time there are also a gap in pid numbers.

 

That's to be expected. You have other programs running on your PC which create and destroy their own threads, and pid numbers are random-ish anyway, looking at my output of ps ax.

----------

## kanttu

Ok, that will explain something but I'm still wondering why there aren't any failed root login attempts of all those 27000 attempts.

----------

## xoomix

Cause root never logged in. Pure paranoia will drive you mad.

----------

## groovin

if u use strong passwords, u shouldnt worry so much.

i wanted to see how strong my password was, so i used johntheripper on it... after 4 hours on a P4, john had not brute forced it. thats many hundreds of thousands of attempts.. so i guess my password is reasonably strong.

----------

## brims

If you only login remotely from a few machines or something, you can setup iptables to only allow those IP addresses. I use that, I have AllowUsers <user name> in /etc/ssh/sshd_config and the only machine outside of my full control that has access to my network uses public key authentication, fairly strong. I do not allow password logins to my gateway/firewall. Those are my attempts to stop script kiddies and any cracker that barely knows what he/she is doing.

EDIT: So many people with ssh servers, I think, don't allow root logins so the script kiddies may be just trying to save all that wasted CPU cycles and bandwidth for other possible names that could be cracked, then if sucessful, try to get root access from that user name. Though I could be wrong.

----------

## TBKDan

Um... it says invalid user admin/support/etc... not invalid password.  Root is a valid user, so it didn't log all the login attempts to root as invalid users.  At least that's what I'm getting out of those logs  :Smile:   Then again I'm a noobie  :Very Happy: 

----------

## brims

Unless he's not using syslog-ng, I believe it logs even failed attempts at root login.  But I don't see those. The person seemed to try ROOT a few times, why, I don't have a clue. ROOT is no defualt user name I know of. I would take the advice of some of the other posters, don't worry about it, just make a few changes and make it more secure like "RootLogin no" and possible "AllowUsers <space separated user name list>". Or if you are paranoid, reinstall.

----------

## TBKDan

But wouldn't it log it to the sshd log?  And what I'm pointing out is that it says invalid user, not invalid password, possibly suggesting that the potential hacker is trying to use a user account that does not exist.

----------

## brims

Most attempts at cracking I've seen are against users that don't exist on most systems. That's exactly how they do it. I've seen so many attempted user names that they are just trying to get something. Invalid user means the name doesn't exist on the target system, you are correct there.

----------

## zerojay

This exact subject is discussed in the sticky topic in this forum. 

https://forums.gentoo.org/viewtopic-t-210585.html

----------

