netstat - ESTABLISHED = LOGIN?, and how we can get the USERNAME used for that connection?
hello,
we run
[CODE=bash][root@pepsi ~]# netstat -tan | grep \:22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 pepsiserver:22 150.158.111.251:33848 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
[root@pepsi ~]#
then we seek 150.158.111.251 and this is CHINA hackers! After we see LOGS:
then this show as X user have compromised the password, but how know what user?? How we can know username USED for login in server? Thanks
then we seek 150.158.111.251 and this is CHINA hackers! After we see LOGS:
[root@pepsi ~]# egrep -Ri '150.158.111.251' /var/log/*
/var/log/messages-20200719:Jul 18 02:37:00 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=53906 DPT=7547 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages-20200719:Jul 18 03:14:10 pepsi pure-ftpd: (?@150.158.111.251) [INFO] New connection from 150.158.111.251
/var/log/messages-20200719:Jul 18 03:14:40 pepsi pure-ftpd: (?@150.158.111.251) [INFO] Logout.
/var/log/messages-20200719:Jul 18 04:54:42 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=45654 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages-20200719:Jul 18 05:14:00 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=56306 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/mysqld.log:2020-05-01T12:48:17.458739Z 619627 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/mysqld.log:2020-05-02T20:32:31.066314Z 4077 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/mysqld.log:2020-05-08T01:10:01.512974Z 57067 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/secure:Jul 19 05:27:45 pepsi sshd[24158]: Did not receive identification string from 150.158.111.251 port 24028
/var/log/secure:Jul 24 06:04:21 pepsi sshd[18562]: Did not receive identification string from 150.158.111.251 port 42209
/var/log/secure-20200628:Jun 21 16:58:20 pepsi sshd[11576]: Did not receive identification string from 150.158.111.251 port 43431
[root@pepsi ~]#
then this show as X user have compromised the password, but how know what user?? How we can know username USED for login in server? Thanks
-
What is output when you run the command as follows: who
It should list active user sessions and the username they're logged in with. All you get in messages for logins is something like the following:Jul 24 14:05:20 server systemd-logind: New session 15601 of user root.
If the user isn't logged in still you could search/var/log/secure
for the IP which would show the attempts and username0 -
What is output when you run the command as follows:
who
Thanks, I believe who is only for connections SSH. I forget say this is about connections FTP.[root@pepsi ~]# who root pts/0 2020-07-24 12:48 (my.office) [root@pepsi ~]#
but this TODAY. Thanks by your orientation about this possible threat.0 -
Well if the user logged in you'd have output in the logs like the following from /var/log/messages
Jul 24 14:37:54 server pure-ftpd: (?@) [INFO] New connection from Jul 24 14:37:59 server pure-ftpd: (?@) [INFO] lauren is now logged in
What that login looks like is a login attempt that failed.0 -
What that login looks like is a login attempt that failed.
Many thanks by give pace to my mind . . . :)0 -
:-D PEACE !! 0 -
I'll go ahead and mark this as resolved :) 0
Please sign in to leave a comment.
Comments
6 comments