Lunarpages Web Hosting Forum

Author Topic: Question: How to Identify a Successful Hacking Attempt?  (Read 15879 times)

Offline The Natural Greek Phenomenon

  • Intergalactic Superstar
  • *****
  • Posts: 144
    • Smart Shopping Mall
Question: How to Identify a Successful Hacking Attempt?
« on: May 21, 2005, 02:54:21 AM »
Hi,

What could this process mean:
" sshd: unknown [priv] " or " sshd: unknown [net] "

Is this an indication of a possible intrusion by a hacker?

If yes, what actions should be taken?

Thanks

Offline PeterM

  • Spacescooter Operator
  • *****
  • Posts: 36
Question: How to Identify a Successful Hacking Attempt?
« Reply #1 on: May 23, 2005, 03:58:07 AM »
At the moment there are a lot of so called dictionary attacks going on against server running SSH. It means people are trying to find out a SSH login name on your server using a CD and small program. This should be harmless if you have secured SSH.

Offline abhilash

  • Intergalactic Cowboy
  • *****
  • Posts: 61
Question: How to Identify a Successful Hacking Attempt?
« Reply #2 on: May 23, 2005, 08:36:32 PM »
sshd: unknown [priv]  and sshd: unknown [net] is when someone trying to attempt to login to your system, but there is no account under the username.

mostly such log entries will be followed by something like below in /var/log/messages

Mar 26 10:41:33 athena sshd(pam_unix)[3984]: check pass; user unknown
Mar 26 10:41:33 athena sshd(pam_unix)[3984]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.0.141.89

where you can block the IP 210.0.141.89.

Meanwhile you should edit /etc/ssh/sshd_config to read the config as below,

Protocol 2 (only SSH2 should be allowed, SSH1 is vulnerable)
Port 22 (22 can be changed to something else, preferably a number 10000+, but you have to know that once changed and restarted the sshd, you won't be able to connect with default port 22, instead specifically mention the port number given here in your SSH client  to connect to SSH. Don't change it unless you know what you are doing)

and follow the steps at http://www.lunarforums.com/viewtopic.php?t=26253
Abhilash

JSA Supervisor - System Admin Team

Offline The Natural Greek Phenomenon

  • Intergalactic Superstar
  • *****
  • Posts: 144
    • Smart Shopping Mall
Question: How to Identify a Successful Hacking Attempt?
« Reply #3 on: May 25, 2005, 04:55:03 PM »
Thanks folks.

Regarding this excellent tutorial:
http://www.lunarforums.com/viewtopic.php?t=26253

The problem is... what would be my username if "root" is used as login.

And if you please explain this:
"then do a su on the command prompt and type in the root password to become root." (what is "su" and how exactly do we execute this process).

Please don't cackle as I am a complete rookie.

Of course I'd expect an email for this sensitive procedure.

Offline GMTurner

  • Berserker Poster
  • *****
  • Posts: 7479
    • Turner's Lounge
Question: How to Identify a Successful Hacking Attempt?
« Reply #4 on: May 25, 2005, 05:33:03 PM »
su = substitute user

It allows you to log in as a "regular", unpriviledged user and then "promote" yourself to "root" (by using su) to perform certain commands without having to actually log in using the root account.

If you did log in as root though, you would probably not need to use su though since you are already at that level...

There's also a sudo command (if I'm remembering correctly, but it's been a while since I really played around with the command line in linux) that allows you to run a particular command/program as the root user but does not "promote" you to that roll...

if you do a "man su" at the command line, it should give you the manual pages for the su command... though it might not be setup that way at LP, in which case just do a google search for man su and it will give you essentially the same information. Same goes for other commands as well "man ls" to get info on the ls command, "man sudo" for info on sudo, etc.

Not sure if this helps or not, but hope it clears something up somewhere for someone :)
The above information may or may not reflect current policy, opinions, or views since it was likely made almost 10 years ago.

Offline The Natural Greek Phenomenon

  • Intergalactic Superstar
  • *****
  • Posts: 144
    • Smart Shopping Mall
Question: How to Identify a Successful Hacking Attempt?
« Reply #5 on: May 25, 2005, 06:53:54 PM »
GMTurner - thanks for the clarification.

Offline PeterM

  • Spacescooter Operator
  • *****
  • Posts: 36
Question: How to Identify a Successful Hacking Attempt?
« Reply #6 on: May 25, 2005, 07:23:01 PM »
Quote from: buy-steroids.biz
Thanks folks.

Regarding this excellent tutorial:
http://www.lunarforums.com/viewtopic.php?t=26253

The problem is... what would be my username if "root" is used as login.

And if you please explain this:
"then do a su on the command prompt and type in the root password to become root." (what is "su" and how exactly do we execute this process).

Please don't cackle as I am a complete rookie.

Of course I'd expect an email for this sensitive procedure.


You also might hear under the linux folks that "su" stands for "superuser" which more or less the purpose of the su command is, to become root (= superuser). If you ssh to your server as regular user and then just type on the command prompt su and hit enter. You then will be asked for the root password. :-)

Offline GMTurner

  • Berserker Poster
  • *****
  • Posts: 7479
    • Turner's Lounge
Question: How to Identify a Successful Hacking Attempt?
« Reply #7 on: May 25, 2005, 07:29:12 PM »
Quote from: PeterM
You also might hear under the linux folks that "su" stands for "superuser"


Thanks :)  I had superuser in originally, but then did a quick search to double check myself and saw substitute user and went with that... glad to know I should have stuck with my original feeling...
The above information may or may not reflect current policy, opinions, or views since it was likely made almost 10 years ago.

Offline TranzNDance

  • Princess of Naboo
  • Berserker Poster
  • *****
  • Posts: 11567
    • Thu Tu's Blog
Question: How to Identify a Successful Hacking Attempt?
« Reply #8 on: May 25, 2005, 07:38:13 PM »
And I thought it meant Stanford University. :P
:whip: :love: :whip: :love: :whip: :love:

Offline PeterM

  • Spacescooter Operator
  • *****
  • Posts: 36
Question: How to Identify a Successful Hacking Attempt?
« Reply #9 on: May 25, 2005, 08:24:23 PM »
Quote from: GMTurner
Quote from: PeterM
You also might hear under the linux folks that "su" stands for "superuser"


Thanks :)  I had superuser in originally, but then did a quick search to double check myself and saw substitute user and went with that... glad to know I should have stuck with my original feeling...


Your explanation was correct   :thumb:  the linux users just have changed it themself over the time.  :)
If you are loged in as root, you can become any user just by typing the su command followed by the username. That is where the "substitute user" original comes from.

Offline GMTurner

  • Berserker Poster
  • *****
  • Posts: 7479
    • Turner's Lounge
Question: How to Identify a Successful Hacking Attempt?
« Reply #10 on: May 25, 2005, 08:58:46 PM »
Is it possible to ... uh... desu? unsu? or do you just su back to whatever user?

And now I feel technically correct about my previous answer but some how less geeky because of it  :?

(Oh, and according to my wife it stands for Southwestern University...)
The above information may or may not reflect current policy, opinions, or views since it was likely made almost 10 years ago.

Offline PeterM

  • Spacescooter Operator
  • *****
  • Posts: 36
Question: How to Identify a Successful Hacking Attempt?
« Reply #11 on: May 25, 2005, 09:11:15 PM »
Quote from: GMTurner
Is it possible to ... uh... desu? unsu? or do you just su back to whatever user?

And now I feel technically correct about my previous answer but some how less geeky because of it  :?

(Oh, and according to my wife it stands for Southwestern University...)


If you used SU to become another user and want to get out of it, just use the magic geeky word "exit"  :)
Oh....and remember, the wife always is right   :o

Offline TranzNDance

  • Princess of Naboo
  • Berserker Poster
  • *****
  • Posts: 11567
    • Thu Tu's Blog
Question: How to Identify a Successful Hacking Attempt?
« Reply #12 on: May 25, 2005, 09:54:13 PM »
Yeah, but which SU university has contributed more to computing? :poke:
:whip: :love: :whip: :love: :whip: :love:

Offline GMTurner

  • Berserker Poster
  • *****
  • Posts: 7479
    • Turner's Lounge
Question: How to Identify a Successful Hacking Attempt?
« Reply #13 on: May 25, 2005, 09:56:29 PM »
Quote
just use the magic geeky word "exit" Smile

:argh: shoulda thought of that :)
The above information may or may not reflect current policy, opinions, or views since it was likely made almost 10 years ago.

Offline abhilash

  • Intergalactic Cowboy
  • *****
  • Posts: 61
Question: How to Identify a Successful Hacking Attempt?
« Reply #14 on: May 26, 2005, 12:22:00 AM »
okay..I go for "switch user" . The gloss page at http://tldp.org/LDP/intro-linux/html/gloss.html says so.

whatis su says run a shell with substitute user and group IDs. So it is "substitute user".

But I am sure after all these, buy-steroids.biz won't forget the use of "su"  :evil: ever  :thumb:
Abhilash

JSA Supervisor - System Admin Team