2

I noticed the following weird entry from my "last" command from an IP address in Romania:

user pts/0        89.123.111.228   Sat Jul 28 12:48 - 12:48  (00:00)

I'm wondering if that means I was hacked? But it says they logged in for 0 minutes, does that mean they failed? I can't find the answer in the man pages.

Philip Brocoum
  • 123
  • 5
  • 1
    does it matter how long they were on? If you don't think the IP source was authorized, then you need to track that down. BTW, I hope you're running [fail2ban](http://www.fail2ban.org/) – Mike Pennington Jul 30 '12 at 14:41
  • Well, to me it's not clear what the 0 minutes means. Does that mean they failed to login, or does that mean they logged in for up to 59 seconds? – Philip Brocoum Jul 30 '12 at 15:08
  • If they are in your `last` output, they logged into the machine. If they were malicious, it's possible they modified the `utmp` information, so you may not know how long they were really on – Mike Pennington Jul 30 '12 at 15:30
  • That one is most likely a drone that was infected over IRC, during weekends Romania is usually the top European country lauhching such script kiddie attacks. I suggest to concentrate on tightening the security of your server instead of trying to track the offender. – AnonymousLurker Jul 30 '12 at 16:09

1 Answers1

4

That appears to be a successful login lasting for less than one minute. The last command only shows successful logins by default.

You can confirm it by examining your system logs (e.g. /var/log/messages and /var/log/audit/audit.log) and looking for login and logout events.

I recently had a chance to examine a compromised machine, and the compromise followed a similar pattern. After the first successful compromise, the attacker may simply make note of your server's information to be passed along later to other criminals. If your system remains open, expect logins over the next few days from all over the world.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thanks for the help you guys. We found a "stealth shellbot thiago" in tmp/.d on the server and are working to restore it to a previous point in time before was compromised. – Philip Brocoum Jul 31 '12 at 13:28