PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Wurde mein Rechner gehackt?



Allgeier55
03.02.06, 13:53
Ich habe seltsame Meldungen in /var/log/messages !
Kann mir jemand sagen was das bedeutet?


Feb 2 16:57:13 allgeier syslog-ng[4436]: STATS: dropped 0
Feb 2 17:57:13 allgeier syslog-ng[4436]: STATS: dropped 0
Feb 2 18:57:14 allgeier syslog-ng[4436]: STATS: dropped 0
Feb 2 19:12:24 allgeier sshd[6406]: Did not receive identification string from 210.240.94.2
Feb 2 19:21:42 allgeier sshd[6427]: Invalid user staff from 210.240.94.2
Feb 2 19:21:46 allgeier sshd[6429]: Invalid user sales from 210.240.94.2
Feb 2 19:21:50 allgeier sshd[6431]: Invalid user recruit from 210.240.94.2
Feb 2 19:21:54 allgeier sshd[6433]: Invalid user alias from 210.240.94.2
Feb 2 19:21:59 allgeier sshd[6435]: Invalid user office from 210.240.94.2
Feb 2 19:22:03 allgeier sshd[6437]: Invalid user samba from 210.240.94.2
Feb 2 19:22:06 allgeier sshd[6439]: Invalid user tomcat from 210.240.94.2
Feb 2 19:22:15 allgeier sshd[6441]: Invalid user webadmin from 210.240.94.2
Feb 2 19:22:18 allgeier sshd[6443]: Invalid user spam from 210.240.94.2
Feb 2 19:22:23 allgeier sshd[6445]: Invalid user virus from 210.240.94.2
Feb 2 19:22:31 allgeier sshd[6449]: Invalid user oracle from 210.240.94.2
Feb 2 19:22:36 allgeier sshd[6451]: Invalid user michael from 210.240.94.2
Feb 2 19:22:51 allgeier sshd[6457]: Invalid user webmaster from 210.240.94.2
Feb 2 19:22:55 allgeier sshd[6459]: Invalid user postmaster from 210.240.94.2
Feb 2 19:23:03 allgeier sshd[6463]: Invalid user postgres from 210.240.94.2
Feb 2 19:23:07 allgeier sshd[6465]: Invalid user paul from 210.240.94.2
Feb 2 19:23:16 allgeier sshd[6469]: Invalid user guest from 210.240.94.2
Feb 2 19:23:20 allgeier sshd[6471]: Invalid user admin from 210.240.94.2
Feb 2 19:23:23 allgeier sshd[6473]: Invalid user linux from 210.240.94.2
Feb 2 19:23:27 allgeier sshd[6475]: Invalid user user from 210.240.94.2
Feb 2 19:23:31 allgeier sshd[6477]: Invalid user david from 210.240.94.2
Feb 2 19:23:35 allgeier sshd[6479]: Invalid user web from 210.240.94.2
Feb 2 19:23:39 allgeier sshd[6481]: Invalid user apache from 210.240.94.2
Feb 2 19:23:43 allgeier sshd[6483]: Invalid user pgsql from 210.240.94.2
Feb 2 19:23:50 allgeier sshd[6487]: Invalid user info from 210.240.94.2
Feb 2 19:23:54 allgeier sshd[6489]: Invalid user tony from 210.240.94.2
Feb 2 19:23:58 allgeier sshd[6491]: Invalid user core from 210.240.94.2
Feb 2 19:24:02 allgeier sshd[6493]: Invalid user newsletter from 210.240.94.2
Feb 2 19:24:09 allgeier sshd[6497]: Invalid user visitor from 210.240.94.2
Feb 2 19:24:13 allgeier sshd[6499]: Invalid user ftpuser from 210.240.94.2
Feb 2 19:24:17 allgeier sshd[6501]: Invalid user username from 210.240.94.2
Feb 2 19:24:21 allgeier sshd[6503]: Invalid user administrator from 210.240.94.2
Feb 2 19:24:25 allgeier sshd[6505]: Invalid user library from 210.240.94.2
Feb 2 19:24:41 allgeier sshd[6513]: Invalid user admin from 210.240.94.2
Feb 2 19:24:45 allgeier sshd[6515]: Invalid user guest from 210.240.94.2
Feb 2 19:24:50 allgeier sshd[6517]: Invalid user master from 210.240.94.2
Feb 2 19:25:17 allgeier sshd[6529]: Invalid user admin from 210.240.94.2
Feb 2 19:25:22 allgeier sshd[6531]: Invalid user admin from 210.240.94.2
Feb 2 19:25:26 allgeier sshd[6533]: Invalid user admin from 210.240.94.2
Feb 2 19:25:32 allgeier sshd[6535]: Invalid user admin from 210.240.94.2
Feb 2 19:25:55 allgeier sshd[6545]: Invalid user webmaster from 210.240.94.2
Feb 2 19:26:00 allgeier sshd[6547]: Invalid user username from 210.240.94.2
Feb 2 19:26:04 allgeier sshd[6549]: Invalid user user from 210.240.94.2
Feb 2 19:26:13 allgeier sshd[6553]: Invalid user admin from 210.240.94.2
Feb 2 19:26:34 allgeier sshd[6563]: Invalid user danny from 210.240.94.2
Feb 2 19:26:38 allgeier sshd[6565]: Invalid user alex from 210.240.94.2
Feb 2 19:26:44 allgeier sshd[6567]: Invalid user brett from 210.240.94.2
Feb 2 19:26:48 allgeier sshd[6569]: Invalid user mike from 210.240.94.2
Feb 2 19:57:14 allgeier syslog-ng[4436]: STATS: dropped 0
Feb 2 20:57:15 allgeier syslog-ng[4436]: STATS: dropped 0
Feb 2 21:57:15 allgeier syslog-ng[4436]: STATS: dropped 0
Feb 2 22:00:02 allgeier logrotate: ALERT exited abnormally with [1]
Feb 2 22:00:03 allgeier logrotate: /usr/bin/mysqladmin: connect to server at 'localhost' failed
Feb 2 22:00:03 allgeier logrotate: error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Feb 2 22:00:03 allgeier logrotate: error: error running postrotate script
Feb 2 22:00:27 allgeier su: (to nobody) root on none
Feb 2 22:00:27 allgeier su: (to nobody) root on none
Feb 2 22:00:41 allgeier su: (to nobody) root on none
Feb 2 22:00:41 allgeier su: (to nobody) root on none
Feb 2 22:00:43 allgeier su: (to cyrus) root on none
Feb 2 22:00:43 allgeier ctl_mboxlist[6989]: DBERROR: reading /var/lib/imap/db/skipstamp, assuming the worst: No such file or directory
Feb 2 22:00:44 allgeier ctl_mboxlist[6989]: skiplist: recovered /var/lib/imap/mailboxes.db (0 records, 144 bytes) in 1 second

marce
03.02.06, 14:01
also die SSH-Connect-Versuche sind normales Hintergrundrauschen - so Du das System gut konfiguriert hast und immer alle Updates einspielst würde ich mir darüber keine Sorgen machen.

Die Imap-Geschichte mit der MySQL - das musst Du wissen, ob die Meldung normal ist oder auf Grund einer Fehlkonfiguration zustanden kommt.

Vielleicht ist aber darüber auch jemand reingekommen, an der Stelle gibt das Logfile leider nicht viel her...

Allgeier55
03.02.06, 14:06
Ich habe gestern mit Fieber im Bett gelegen und war definitiv nicht am Rechner.
Also wenn sie den su Befehl aufrufen können dann müssen sie doch schon drauf gewesen sein oder irre ich mich da!

marce
03.02.06, 14:08
war das vielleicht ein cron-Job? In Verbindung mit logrotate, z.B. restart von Apache, restart von ...

edit: s/\!/\?/ :-)

MiGo
03.02.06, 18:18
Wer zuletzt wann von wo eingeloggt war, kannst du mit "last" sehen (wenns kein besonders guter Einbracher war ^^).
Und die "su" Einträge besagen, dass root zu den Benutzern "nobody" (für apache) und "cyrus" (für den cyrus-IMAPserver) geworden ist.