Alissa Posté 3 Mars 2005 Posté 3 Mars 2005 (modifié) Bonjour, Je suis totalement désemparée. J'ai en location chez ..... depuis deux ans un serveur dédié Cobalt Raq550.Serveur dédié hébergeant 9 sites commerciaux dont un site pour une société de presse informatique créée il y a 3 mois. Le 3 février 2005 à 01 H 03 plus rien ne fonctionne (plus d'accès aux sites,plus de mails, accès ftp, ssh etc). Après bien des mails, télécopies et après paiement de 90 pour un data-ftp je rentre en possession des fichiers logs du serveur. Et v'est ici que j'ai besoin d'aide : J'ai un certain nombre de fichiers démontrant une intrusion mais je n'arrive pas à localiser l'IP de l'attaquant. Quelques exemples : Dernières lignes du fichier : adm_access 127.0.0.1 - - [02/Feb/2005:23:15:23 +0100] "HEAD / HTTP/1.1" 200 0 127.0.0.1 - - [02/Feb/2005:23:30:24 +0100] "HEAD / HTTP/1.1" 200 0 127.0.0.1 - - [02/Feb/2005:23:45:24 +0100] "HEAD / HTTP/1.1" 200 0 127.0.0.1 - - [03/Feb/2005:00:00:23 +0100] "HEAD / HTTP/1.1" 200 0 127.0.0.1 - - [03/Feb/2005:00:15:22 +0100] "HEAD / HTTP/1.1" 200 0 65.214.44.40 - - [03/Feb/2005:00:25:11 +0100] "GET /login.php HTTP/1.0" 200 5091 127.0.0.1 - - [03/Feb/2005:00:30:23 +0100] "HEAD / HTTP/1.1" 200 0 127.0.0.1 - - [03/Feb/2005:00:45:23 +0100] "HEAD / HTTP/1.1" 200 0 127.0.0.1 - - [03/Feb/2005:01:00:23 +0100] "HEAD / HTTP/1.1" 200 0 Dernières lignes du fichier : auth dans var/log Feb 2 20:57:48 wsc60 sshd[3256]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:51 wsc60 PAM_unix[3261]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:51 wsc60 sshd[3261]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:54 wsc60 PAM_unix[3263]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:54 wsc60 sshd[3263]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:57 wsc60 PAM_unix[3266]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:57 wsc60 sshd[3266]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:58:00 wsc60 PAM_unix[3268]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:58:00 wsc60 sshd[3268]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:28 wsc60 PAM_unix[7264]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:28 wsc60 sshd[7264]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:33 wsc60 PAM_unix[7266]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:33 wsc60 sshd[7266]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:38 wsc60 PAM_unix[7268]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:38 wsc60 sshd[7268]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:43 wsc60 PAM_unix[7291]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:43 wsc60 sshd[7291]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:49 wsc60 PAM_unix[7296]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:49 wsc60 sshd[7296]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:54 wsc60 PAM_unix[7303]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:54 wsc60 sshd[7303]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:42:00 wsc60 PAM_unix[7311]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:42:00 wsc60 sshd[7311]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:42:05 wsc60 PAM_unix[7314]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:42:05 wsc60 sshd[7314]: PAM-listfile: Non-sense use for apply= parameter Feb 3 01:03:01 wsc60 sshd[28997]: PAM-listfile: Non-sense use for apply= parameter Feb 3 01:03:01 wsc60 PAM_unix[29013]: (sshd) session opened for user admin by (uid=500) Feb 3 01:03:04 wsc60 PAM_pwdb[29029]: (su) session opened for user root by admin(uid=500) Feb 3 01:03:08 wsc60 PAM_unix[29013]: (sshd) session closed for user admin Feb 3 01:03:08 wsc60 PAM_pwdb[29029]: (su) session closed for user root Feb 3 01:03:08 wsc60 getty[1061]: exiting on TERM signal Le fichier lastlog bien que faisant 18 Mo est totalement illisible, plein de carrés en ligne ! Les dernières lignes du fichier secure dans var/log : Feb 3 00:34:21 wsc60 in.proftpd[27207]: connect from 62.193.206.143 Feb 3 00:34:21 wsc60 in.qpopper[27208]: connect from 62.193.206.143 Feb 3 00:34:35 wsc60 sshd[27221]: Did not receive identification string from 62.193.206.143 Feb 3 00:35:00 wsc60 in.qpopper[27262]: connect from 62.193.194.20 Feb 3 00:40:00 wsc60 in.qpopper[27479]: connect from 62.193.194.20 Feb 3 00:45:01 wsc60 in.qpopper[27696]: connect from 62.193.194.20 Feb 3 00:45:01 wsc60 in.identd[27702]: connect from 127.0.0.1 Feb 3 00:45:01 wsc60 in.qpopper[27707]: connect from 127.0.0.1 Feb 3 00:45:01 wsc60 imapd[27712]: connect from 127.0.0.1 Feb 3 00:45:01 wsc60 in.telnetd[27725]: connect from 127.0.0.1 Feb 3 00:45:01 wsc60 in.proftpd[27735]: connect from 127.0.0.1 Feb 3 00:45:01 wsc60 in.identd[27736]: connect from 127.0.0.1 Feb 3 00:47:12 wsc60 in.proftpd[27928]: connect from 62.193.206.143 Feb 3 00:47:12 wsc60 in.qpopper[27929]: connect from 62.193.206.143 Feb 3 00:47:12 wsc60 sshd[27931]: Did not receive identification string from 62.193.206.143 Feb 3 00:50:00 wsc60 in.qpopper[28077]: connect from 62.193.194.20 Feb 3 00:55:00 wsc60 in.qpopper[28339]: connect from 62.193.194.20 Feb 3 00:58:41 wsc60 sshd[28536]: Did not receive identification string from 62.193.206.143 Feb 3 00:58:41 wsc60 in.qpopper[28538]: connect from 62.193.206.143 Feb 3 00:58:41 wsc60 in.proftpd[28539]: connect from 62.193.206.143 Feb 3 01:00:01 wsc60 in.qpopper[28622]: connect from 62.193.194.20 Feb 3 01:00:01 wsc60 in.identd[28628]: connect from 127.0.0.1 Feb 3 01:00:01 wsc60 in.qpopper[28633]: connect from 127.0.0.1 Feb 3 01:00:01 wsc60 imapd[28638]: connect from 127.0.0.1 Feb 3 01:00:01 wsc60 in.telnetd[28651]: connect from 127.0.0.1 Feb 3 01:00:02 wsc60 in.proftpd[28661]: connect from 127.0.0.1 Feb 3 01:00:02 wsc60 in.identd[28662]: connect from 127.0.0.1 Feb 3 01:03:01 wsc60 sshd[28997]: Accepted password for admin from 217.174.207.155 port 20500 ssh2 Feb 3 01:03:11 wsc60 sshd[761]: Received signal 15; terminating. J'ai déposé plainte le 10 février à la brigade de Gendarmerie. J'ai rassemblé toutes les factures etc pour le préjudice. La jeune société dont je fait mention en début va déposer son bilan, et de mon côté je perds beaucoup d'euros. J'ai fait une copie sur CD des fichiers logs pour une éventuelle enquête La société me louant ce serveur ne veut rien entendre à aucun niveau, ils ne sont pas concernée du tout. Je souhaiterai avoir une aide sur l'interprétation des fichiers logs d'une manière plus claire afin de pouvoir diriger les services concernés sur une direction efficace et surtout rapide. Je suis totalement désemparée et ne sais pas comment faire. Si je peux avoir une aide sur ma demande, et recevoir tous conseils sur ce que je dois faire et comment ce serait très gentil. Je ne suis pas en région parisienne, mais en province dans une petie ville de la Loire, ceci afin que vous compreniez que les infrastructures légales ici sont un peu "dépassées". Merci pour votre aide éventuelle et désolée pour ce post un peu long. Cordialement. Alissa <Edit Arlette : le nom de l'hébergeur : le demander par MP > Modifié 3 Mars 2005 par Arlette
Dan Posté 3 Mars 2005 Posté 3 Mars 2005 Bonjour, Est tu certaine que ton fichier est complet ? Il me semble manquer des lignes entre: Feb 2 21:42:05 wsc60 sshd[7314]: PAM-listfile: Non-sense use for apply= parameter Feb 3 01:03:01 wsc60 sshd[28997]: PAM-listfile: Non-sense use for apply= parameter Sinon, quelqu'un a tenté de se connecter de Boston le 3 février à 0H25 ... et quelques minutes plus tard à 1H03, une connexion au départ de ton hébergeur (IP 217.174.207.155) comme admin suivie d'un "su" a arrêté le système. Dan
Alissa Posté 3 Mars 2005 Auteur Posté 3 Mars 2005 Bonjour, Est tu certaine que ton fichier est complet ? Il me semble manquer des lignes entre: Feb 2 21:42:05 wsc60 sshd[7314]: PAM-listfile: Non-sense use for apply= parameter Feb 3 01:03:01 wsc60 sshd[28997]: PAM-listfile: Non-sense use for apply= parameter Sinon, quelqu'un a tenté de se connecter de Boston le 3 février à 0H25 ... et quelques minutes plus tard à 1H03, une connexion au départ de ton hébergeur (IP 217.174.207.155) comme admin suivie d'un "su" a arrêté le système. Dan <{POST_SNAPBACK}> Re, Dans les fichiers logs qui ont été mis à ma disposition par data-ftp le copier coller que j'ai fait est conforme en tous points. J'ai bien remarqué que la connexion venait de mon hébergeur, mais comment l'expliquer ? Y a t'il d'autres fichiers logs permettant d'identifier plus précisément l'intrusion ? Cette connexion de mon hébergeur est troublante je trouve Copie un peu plus grande du fichier auth : Feb 2 20:55:56 wsc60 sshd[2986]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:55:59 wsc60 PAM_unix[2988]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:55:59 wsc60 sshd[2988]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:02 wsc60 PAM_unix[2994]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:02 wsc60 sshd[2994]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:05 wsc60 PAM_unix[2996]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:05 wsc60 sshd[2996]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:08 wsc60 PAM_unix[2998]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:08 wsc60 sshd[2998]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:11 wsc60 PAM_unix[3016]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:11 wsc60 sshd[3016]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:14 wsc60 PAM_unix[3018]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:14 wsc60 sshd[3018]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:17 wsc60 PAM_unix[3023]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:17 wsc60 sshd[3023]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:19 wsc60 PAM_unix[3025]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:19 wsc60 sshd[3025]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:22 wsc60 PAM_unix[3027]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:22 wsc60 sshd[3027]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:25 wsc60 PAM_unix[3031]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:25 wsc60 sshd[3031]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:28 wsc60 PAM_unix[3036]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:28 wsc60 sshd[3036]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:31 wsc60 PAM_unix[3041]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:31 wsc60 sshd[3041]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:34 wsc60 PAM_unix[3044]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:34 wsc60 sshd[3044]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:37 wsc60 PAM_unix[3046]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:37 wsc60 sshd[3046]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:40 wsc60 PAM_unix[3069]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:40 wsc60 sshd[3069]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:42 wsc60 PAM_unix[3081]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:42 wsc60 sshd[3081]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:45 wsc60 PAM_unix[3098]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:45 wsc60 sshd[3098]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:48 wsc60 PAM_unix[3103]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:48 wsc60 sshd[3103]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:51 wsc60 PAM_unix[3107]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:51 wsc60 sshd[3107]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:54 wsc60 PAM_unix[3110]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:54 wsc60 sshd[3110]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:56:57 wsc60 PAM_unix[3119]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:56:57 wsc60 sshd[3119]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:00 wsc60 PAM_unix[3121]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:00 wsc60 sshd[3121]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:03 wsc60 PAM_unix[3123]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:03 wsc60 sshd[3123]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:06 wsc60 PAM_unix[3126]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:06 wsc60 sshd[3126]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:09 wsc60 PAM_unix[3128]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:09 wsc60 sshd[3128]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:12 wsc60 PAM_unix[3146]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:12 wsc60 sshd[3146]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:15 wsc60 PAM_unix[3148]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:15 wsc60 sshd[3148]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:18 wsc60 PAM_unix[3152]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:18 wsc60 sshd[3152]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:22 wsc60 PAM_unix[3163]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:22 wsc60 sshd[3163]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:25 wsc60 PAM_unix[3171]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:25 wsc60 sshd[3171]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:28 wsc60 PAM_unix[3173]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:28 wsc60 sshd[3173]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:31 wsc60 PAM_unix[3176]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:31 wsc60 sshd[3176]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:34 wsc60 PAM_unix[3180]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:34 wsc60 sshd[3180]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:48 wsc60 PAM_unix[3256]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:48 wsc60 sshd[3256]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:51 wsc60 PAM_unix[3261]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:51 wsc60 sshd[3261]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:54 wsc60 PAM_unix[3263]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:54 wsc60 sshd[3263]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:57:57 wsc60 PAM_unix[3266]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:57:57 wsc60 sshd[3266]: PAM-listfile: Non-sense use for apply= parameter Feb 2 20:58:00 wsc60 PAM_unix[3268]: authentication failure; (uid=0) -> root for sshd service Feb 2 20:58:00 wsc60 sshd[3268]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:28 wsc60 PAM_unix[7264]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:28 wsc60 sshd[7264]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:33 wsc60 PAM_unix[7266]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:33 wsc60 sshd[7266]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:38 wsc60 PAM_unix[7268]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:38 wsc60 sshd[7268]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:43 wsc60 PAM_unix[7291]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:43 wsc60 sshd[7291]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:49 wsc60 PAM_unix[7296]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:49 wsc60 sshd[7296]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:41:54 wsc60 PAM_unix[7303]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:41:54 wsc60 sshd[7303]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:42:00 wsc60 PAM_unix[7311]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:42:00 wsc60 sshd[7311]: PAM-listfile: Non-sense use for apply= parameter Feb 2 21:42:05 wsc60 PAM_unix[7314]: authentication failure; (uid=0) -> root for sshd service Feb 2 21:42:05 wsc60 sshd[7314]: PAM-listfile: Non-sense use for apply= parameter Feb 3 01:03:01 wsc60 sshd[28997]: PAM-listfile: Non-sense use for apply= parameter Feb 3 01:03:01 wsc60 PAM_unix[29013]: (sshd) session opened for user admin by (uid=500) Feb 3 01:03:04 wsc60 PAM_pwdb[29029]: (su) session opened for user root by admin(uid=500) Feb 3 01:03:08 wsc60 PAM_unix[29013]: (sshd) session closed for user admin Feb 3 01:03:08 wsc60 PAM_pwdb[29029]: (su) session closed for user root
Sujets conseillés
Veuillez vous connecter pour commenter
Vous pourrez laisser un commentaire après vous êtes connecté.
Connectez-vous maintenant