|
操作系统:redhat 9.0
防火墙:默认为最高级别
用utmpdump /var/log/wtmp发现如下:
[7] [03638] [:0 ] [root ] [:0 ] [ ] [128.99.1.64 ] [Sun Feb 22 10:04:25 2004 CST]
[7] [03746] [/0 ] [root ] [pts/0 ] [:0.0 ] [0.0.0.0 ] [Sun Feb 22 10:05:38 2004 CST]
[1] [13619] [~~ ] [runlevel] [~ ] [2.4.20-8 ] [0.0.0.0 ] [Sun Feb 22 10:16:51 2004 CST]
[8] [00000] [:0 ] [ ] [:0 ] [ ] [128.99.1.64 ] [Sun Feb 22 10:16:53 2004 CST]
本机没有授权远程用户,怀疑其为黑客入侵。
查/var/log/messages发现如下:
Feb 22 10:04:13 localhost gdm(pam_unix)[3628]: session opened for user root by (uid=0)
Feb 22 10:04:28 localhost 2月 22 10:04:28 gconfd (root-3704): 正在启动(版本 2.2.0),pid 3704 用户“root”
Feb 22 10:04:28 localhost 2月 22 10:04:28 gconfd (root-3704): 解析的地址“xml:readonly:/etc/gconf/gconf.xml.mandatory”指向位于 0 的只读配置源
Feb 22 10:04:28 localhost 2月 22 10:04:28 gconfd (root-3704): 解析的地址“xml:readwrite:/root/.gconf”指向位于 1 的可写入配置源
Feb 22 10:04:28 localhost 2月 22 10:04:28 gconfd (root-3704): 解析的地址“xml:readonly:/etc/gconf/gconf.xml.defaults”指向位于 2 的只读配置源
Feb 22 10:04:33 localhost kernel: ide-floppy driver 0.99.newide
Feb 22 10:04:33 localhost kernel: hdd: ATAPI 52X CD-ROM drive, 120kB Cache, UDMA(33)
Feb 22 10:04:33 localhost kernel: Uniform CD-ROM driver Revision: 3.12
Feb 22 10:04:34 localhost kernel: cdrom: This disc doesn't have any tracks I recognize!
Feb 22 10:07:17 localhost kernel: eth0: Setting half-duplex based on auto-negotiated partner ability 0000.
Feb 22 10:07:20 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
Feb 22 10:07:25 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7
Feb 22 10:07:32 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15
Feb 22 10:07:47 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15
Feb 22 10:08:02 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 14
Feb 22 10:08:16 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
Feb 22 10:08:21 localhost dhclient: No DHCPOFFERS received.
Feb 22 10:09:56 localhost kernel: CSLIP: code copyright 1989 Regents of the University of California
Feb 22 10:09:56 localhost kernel: PPP generic driver version 2.4.2
Feb 22 10:09:56 localhost pppd[3933]: pppd 2.4.1 started by root, uid 0
Feb 22 10:09:56 localhost pppd[3933]: Using interface ppp0
Feb 22 10:09:56 localhost pppd[3933]: Connect: ppp0 <--> /dev/pts/1
Feb 22 10:09:56 localhost pppoe[3934]: PPP session is 816
Feb 22 10:09:56 localhost /etc/hotplug/net.agent: assuming ppp0 is already up
Feb 22 10:09:56 localhost pppd[3933]: Remote message: Welcome to use MA5200, Huawei Tech.^J^M
Feb 22 10:09:56 localhost pppd[3933]: local IP address 218.23.69.29
Feb 22 10:09:56 localhost pppd[3933]: remote IP address 24.24.24.24
Feb 22 10:09:56 localhost pppd[3933]: primary DNS address 202.102.192.68
Feb 22 10:09:56 localhost pppd[3933]: secondary DNS address 202.102.199.68
Feb 22 10:09:56 localhost logger: punching nameserver 202.102.192.68 through the firewall
Feb 22 10:09:56 localhost logger: punching nameserver 202.102.199.68 through the firewall
Feb 22 10:14:32 localhost adsl-stop: Killing pppd
Feb 22 10:14:32 localhost pppd[3933]: Terminating on signal 15.
Feb 22 10:14:32 localhost adsl-stop: Killing adsl-connect
Feb 22 10:14:32 localhost pppd[3933]: Connection terminated.
Feb 22 10:14:32 localhost pppd[3933]: Connect time 4.6 minutes.
Feb 22 10:14:32 localhost pppd[3933]: Sent 15080 bytes, received 84827 bytes.
Feb 22 10:14:32 localhost pppoe[3934]: read (asyncReadFromPPP): Session 816: Input/output error
Feb 22 10:14:32 localhost pppoe[3934]: Sent PADT
Feb 22 10:14:32 localhost /etc/hotplug/net.agent: NET unregister event not supported
Feb 22 10:14:32 localhost pppd[3933]: Exit.
Feb 22 10:16:51 localhost init: Switching to runlevel: 3
Feb 22 10:16:51 localhost 2月 22 10:16:51 gconfd (root-3704): 已接收到信号 15,正在干净地关闭
Feb 22 10:16:52 localhost gdm(pam_unix)[3628]: session closed for user root
Feb 22 10:16:54 localhost 2月 22 10:16:54 gconfd (root-3704): 退出
这是怎么回事?
它做了什么?
怎么预防此类事件的发生?
请大家予以指点迷津!!
谢谢!! |
|