[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gulliver] Droits "root" changés

From	Ben <bud at neuf dot fr>
Subject	Re: [gulliver] Droits "root" changés
Date	Tue, 01 Jul 2008 23:25:36 +0200

Bonsoir,

Patrick Lamaizière a écrit :

David MENTRE a écrit :

Donc, tu n'arrives pas à te logguer par ssh, pourquoi ? Qu'est-ce qui
fait que ssh n'arrive pas à ouvrir un session en root ? Regarde les
fichiers de log. Ajoute plus d'infos avec les options de debug si
nécessaire.


login doit être en suid root

Merci pour vos réponses !
Miracle, je peux me connecter.
Le problème que c'est que j'aurais dû écouter david bien avant et tenter de *comprendre* mes commandes. A force de tenter des choses je ne sais même pas ce qui a fait que je peux maintenant me connecter en ssh.

Pour l'instant je ne remarque que quelques détails. Le serveur de temps ne peut pas écrire ses logs visiblement et un log qui ne me parle pas pour SSH.

debian:/etc# tail /var/log/syslog
Jul 1 23:00:45 localhost ntpd[3136]: couldn't unlink /var/log/ntpstats/peerstats: Permission denied
Jul 1 23:00:45 localhost ntpd[3136]: can't open /var/log/ntpstats/peerstats.20080701: Permission denied

debian:/etc# tail /var/log/messages
Jul 1 19:54:04 localhost -- MARK --
Jul 1 20:14:05 localhost -- MARK --

je ne comprends pas trop ces derniers logs

Plus généralement, puisque tu as massacré les droits des fichiers,
c'est fort probable que tu auras des petits soucis dans les coins
(style genre un binaire suid que tu as supprimé avec ton 755).


Massacre c'est le mot.
Une solution serait de faire un mtree d'une debian propre et de
réappliquer les droits / propriétaire et groupe.

Pour l'instant, ça n'a pas l'air trop désastreux. Le serveur Web, Ftp et le plus important pour mon réseau Samba fonctionnent.
Mais très probablement, je me rendrais compte de petits soucis au fur et à mesure.

debian:/etc# tail -50 /var/log/auth.log
Jul 1 18:57:49 localhost sshd[21196]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.231.123.227 user=root
Jul 1 18:57:50 localhost sshd[21196]: Failed password for root from 193.231.123.227 port 60132 ssh2
Jul 1 18:57:51 localhost sshd[21198]: reverse mapping checking getaddrinfo for 33k-clients-gw.b.astral.ro failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 1 18:57:51 localhost sshd[21198]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.231.123.227 user=root
Jul 1 18:57:53 localhost sshd[21198]: Failed password for root from 193.231.123.227 port 60259 ssh2
Jul 1 18:57:55 localhost sshd[21202]: reverse mapping checking getaddrinfo for 33k-clients-gw.b.astral.ro failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 1 18:57:55 localhost sshd[21202]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.231.123.227 user=root
Jul 1 18:57:56 localhost sshd[21202]: Failed password for root from 193.231.123.227 port 60415 ssh2
Jul 1 18:57:57 localhost sshd[21204]: reverse mapping checking getaddrinfo for 33k-clients-gw.b.astral.ro failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 1 18:57:57 localhost sshd[21204]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.231.123.227 user=root
Jul 1 18:57:59 localhost sshd[21204]: Failed password for root from 193.231.123.227 port 60550 ssh2 là c'est pas moi
Jul 1 19:09:01 localhost CRON[21505]: (pam_unix) session opened for user root by (uid=0)
Jul 1 19:09:01 localhost CRON[21505]: (pam_unix) session closed for user root
Jul 1 19:17:01 localhost CRON[21730]: (pam_unix) session opened for user root by (uid=0)
Jul 1 19:17:01 localhost CRON[21730]: (pam_unix) session closed for user root
Jul 1 19:39:01 localhost CRON[22325]: (pam_unix) session opened for user root by (uid=0)
Jul 1 19:39:01 localhost CRON[22325]: (pam_unix) session closed for user root
Jul 1 19:42:50 localhost sshd[22434]: Did not receive identification string from 221.192.241.71
Jul 1 19:50:42 localhost sshd[22641]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.192.241.71 user=root
Jul 1 19:50:44 localhost sshd[22641]: Failed password for root from 221.192.241.71 port 28127 ssh2 là c'est pas moi
Jul 1 20:09:01 localhost CRON[23136]: (pam_unix) session opened for user root by (uid=0)
Jul 1 20:09:01 localhost CRON[23136]: (pam_unix) session closed for user root
Jul 1 20:17:01 localhost CRON[23361]: (pam_unix) session opened for user root by (uid=0)
Jul 1 20:17:01 localhost CRON[23361]: (pam_unix) session closed for user root
Jul 1 20:39:01 localhost CRON[23956]: (pam_unix) session opened for user root by (uid=0)
Jul 1 20:39:01 localhost CRON[23956]: (pam_unix) session closed for user root
Jul 1 21:09:01 localhost CRON[24775]: (pam_unix) session opened for user root by (uid=0)
Jul 1 21:09:01 localhost CRON[24775]: (pam_unix) session closed for user root
Jul 1 21:17:01 localhost CRON[25000]: (pam_unix) session opened for user root by (uid=0)
Jul 1 21:17:01 localhost CRON[25000]: (pam_unix) session closed for user root
Jul 1 21:39:01 localhost CRON[25594]: (pam_unix) session opened for user root by (uid=0)
Jul 1 21:39:01 localhost CRON[25594]: (pam_unix) session closed for user root
Jul 1 22:09:01 localhost CRON[26413]: (pam_unix) session opened for user root by (uid=0)
Jul 1 22:09:01 localhost CRON[26413]: (pam_unix) session closed for user root
Jul 1 22:17:01 localhost CRON[26643]: (pam_unix) session opened for user root by (uid=0)
Jul 1 22:17:01 localhost CRON[26643]: (pam_unix) session closed for user root
Jul 1 22:39:01 localhost CRON[27236]: (pam_unix) session opened for user root by (uid=0)
Jul 1 22:39:01 localhost CRON[27236]: (pam_unix) session closed for user root
Jul 1 22:45:47 localhost sshd[27419]: Accepted password for root from 84.100.169...... port ..... ssh2 ça c'est moi !
Jul 1 22:45:48 localhost sshd[27426]: (pam_unix) session opened for user root by root(uid=0)
Jul 1 22:52:48 localhost proftpd: (pam_unix) session opened for user nosotros by (uid=0)
Jul 1 23:03:21 localhost proftpd: (pam_unix) session closed for user nosotros
Jul 1 23:03:34 localhost proftpd: (pam_unix) session opened for user nosotros by (uid=0)
Jul 1 23:08:24 localhost sshd[28067]: fatal: Timeout before authentication for 84.100.169.125
Jul 1 23:09:01 localhost CRON[28137]: (pam_unix) session opened for user root by (uid=0)
Jul 1 23:09:01 localhost CRON[28137]: (pam_unix) session closed for user root
Jul 1 23:13:23 localhost proftpd: (pam_unix) session closed for user nosotros
Jul 1 23:13:34 localhost proftpd: (pam_unix) session opened for user nosotros by (uid=0)
Jul 1 23:17:01 localhost CRON[28362]: (pam_unix) session opened for user root by (uid=0)
Jul 1 23:17:01 localhost CRON[28362]: (pam_unix) session closed for user root
debian:/etc#

d'ailleurs je ne comprends pas trop ces logs non plus. je serais pas en train de me faire attaquer??

Merci.
Ben.

---- Liste gulliver ----
Archives,    http://gulliver.eu.org/ml-archives/
Description, http://gulliver.eu.org/ml/ml.html
Bons usages, http://gulliver.eu.org/wiki/UsagesCourriels

Follow-Ups:
- Re: [gulliver] Droits "root" changés
  - From: David MENTRE
- Re: [gulliver] Droits "root" changés
  - From: Patrick Lamaizière

References:
- Re: [gulliver] Droits "root" changés
  - From: David MENTRE
- Re: [gulliver] Droits "root" changés
  - From: Patrick Lamaizière

Prev by Date: Re: [gulliver] Demain France Inter (rattrapage)
Next by Date: Re: [gulliver] un hacker space sur Rennes
Previous by thread: Re: [gulliver] Droits "root" changés
Next by thread: Re: [gulliver] Droits "root" changés
Index(es):
- Date
- Thread