Problem with logs

Aldisa Admin admin at aldisa.ca
Wed Sep 12 06:25:06 PDT 2007


Hello All,

I am having trouble understanding what is going on and how to solve the problem:

For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output:

[hostname].ca login failures:
Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0

[hostname].ca login failures:
Sep  8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0


I got worried because both these instances are times when I am positive that I am not accessing the system.  I am the only user of the system.  I use ssh to access the system.  Root access is disabled in sshd.  I log in using my username (abid) and SU to root when necessary.

So I went to check the auth.log, and here is the concerned section:

Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2
Aug 31 17:01:40 server su: abid to root on /dev/ttyp0
Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2
Aug 31 18:43:01 server su: abid to root on /dev/ttyp0
Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2
Aug 31 22:58:32 server su: abid to root on /dev/ttyp0
Sep  9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2
Sep  9 13:41:00 server su: abid to root on /dev/ttyp0
Sep  9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2
Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2
Sep 10 09:04:47 server su: abid to root on /dev/ttyp0
Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2
Sep 11 11:37:15 server su: abid to root on /dev/ttyp0
Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2
Sep 12 08:41:53 server su: abid to root on /dev/ttyp0


As you can see, there is no matching incidence in the auth.log.  How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username.

Some other facts:

The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open.  SSH access is restricted to intranet IP ranges.  The only other opening is a VPN connection between the routers at my office (where the server is) and my home.  The subnet in the office is 192.168.1 and at home is 192.168.2

I changed the password on my account after the Sep 8 occurrence.

It seems to me that somebody is hacking in, but I can't figure out how and from where.

ANY AND ALL HELP WILL BE APPRECIATED.

Abid


More information about the freebsd-questions mailing list