LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 2183|回复: 6

是否遭到攻击?

[复制链接]
发表于 2004-2-22 15:08:38 | 显示全部楼层 |阅读模式
操作系统:redhat 9.0
防火墙:默认为最高级别

用utmpdump /var/log/wtmp发现如下:

[7] [03638] [:0 ] [root ] [:0 ] [ ]  [128.99.1.64 ] [Sun Feb 22 10:04:25 2004 CST]
[7] [03746] [/0 ] [root ] [pts/0 ] [:0.0 ] [0.0.0.0 ] [Sun Feb 22 10:05:38 2004 CST]
[1] [13619] [~~ ] [runlevel] [~ ] [2.4.20-8 ] [0.0.0.0 ] [Sun Feb 22 10:16:51 2004 CST]
[8] [00000] [:0 ] [ ] [:0 ] [ ] [128.99.1.64 ] [Sun Feb 22 10:16:53 2004 CST]

本机没有授权远程用户,怀疑其为黑客入侵。

查/var/log/messages发现如下:

Feb 22 10:04:13 localhost gdm(pam_unix)[3628]: session opened for user root by (uid=0)
Feb 22 10:04:28 localhost 2月 22 10:04:28 gconfd (root-3704): 正在启动(版本 2.2.0),pid 3704 用户“root”
Feb 22 10:04:28 localhost 2月 22 10:04:28 gconfd (root-3704): 解析的地址“xml:readonly:/etc/gconf/gconf.xml.mandatory”指向位于 0 的只读配置源
Feb 22 10:04:28 localhost 2月 22 10:04:28 gconfd (root-3704): 解析的地址“xml:readwrite:/root/.gconf”指向位于 1 的可写入配置源
Feb 22 10:04:28 localhost 2月 22 10:04:28 gconfd (root-3704): 解析的地址“xml:readonly:/etc/gconf/gconf.xml.defaults”指向位于 2 的只读配置源
Feb 22 10:04:33 localhost kernel: ide-floppy driver 0.99.newide
Feb 22 10:04:33 localhost kernel: hdd: ATAPI 52X CD-ROM drive, 120kB Cache, UDMA(33)
Feb 22 10:04:33 localhost kernel: Uniform CD-ROM driver Revision: 3.12
Feb 22 10:04:34 localhost kernel: cdrom: This disc doesn't have any tracks I recognize!
Feb 22 10:07:17 localhost kernel: eth0: Setting half-duplex based on auto-negotiated partner ability 0000.
Feb 22 10:07:20 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
Feb 22 10:07:25 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7
Feb 22 10:07:32 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15
Feb 22 10:07:47 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15
Feb 22 10:08:02 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 14
Feb 22 10:08:16 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
Feb 22 10:08:21 localhost dhclient: No DHCPOFFERS received.
Feb 22 10:09:56 localhost kernel: CSLIP: code copyright 1989 Regents of the University of California
Feb 22 10:09:56 localhost kernel: PPP generic driver version 2.4.2
Feb 22 10:09:56 localhost pppd[3933]: pppd 2.4.1 started by root, uid 0
Feb 22 10:09:56 localhost pppd[3933]: Using interface ppp0
Feb 22 10:09:56 localhost pppd[3933]: Connect: ppp0 <--> /dev/pts/1
Feb 22 10:09:56 localhost pppoe[3934]: PPP session is 816
Feb 22 10:09:56 localhost /etc/hotplug/net.agent: assuming ppp0 is already up
Feb 22 10:09:56 localhost pppd[3933]: Remote message: Welcome to use MA5200, Huawei Tech.^J^M
Feb 22 10:09:56 localhost pppd[3933]: local IP address 218.23.69.29
Feb 22 10:09:56 localhost pppd[3933]: remote IP address 24.24.24.24
Feb 22 10:09:56 localhost pppd[3933]: primary DNS address 202.102.192.68
Feb 22 10:09:56 localhost pppd[3933]: secondary DNS address 202.102.199.68
Feb 22 10:09:56 localhost logger: punching nameserver 202.102.192.68 through the firewall
Feb 22 10:09:56 localhost logger: punching nameserver 202.102.199.68 through the firewall
Feb 22 10:14:32 localhost adsl-stop: Killing pppd
Feb 22 10:14:32 localhost pppd[3933]: Terminating on signal 15.
Feb 22 10:14:32 localhost adsl-stop: Killing adsl-connect
Feb 22 10:14:32 localhost pppd[3933]: Connection terminated.
Feb 22 10:14:32 localhost pppd[3933]: Connect time 4.6 minutes.
Feb 22 10:14:32 localhost pppd[3933]: Sent 15080 bytes, received 84827 bytes.
Feb 22 10:14:32 localhost pppoe[3934]: read (asyncReadFromPPP): Session 816: Input/output error
Feb 22 10:14:32 localhost pppoe[3934]: Sent PADT
Feb 22 10:14:32 localhost /etc/hotplug/net.agent: NET unregister event not supported
Feb 22 10:14:32 localhost pppd[3933]: Exit.
Feb 22 10:16:51 localhost init: Switching to runlevel: 3
Feb 22 10:16:51 localhost 2月 22 10:16:51 gconfd (root-3704): 已接收到信号 15,正在干净地关闭
Feb 22 10:16:52 localhost gdm(pam_unix)[3628]: session closed for user root
Feb 22 10:16:54 localhost 2月 22 10:16:54 gconfd (root-3704): 退出

这是怎么回事?
它做了什么?
怎么预防此类事件的发生?

请大家予以指点迷津!!
谢谢!!
 楼主| 发表于 2004-2-22 22:40:34 | 显示全部楼层

是否遭到攻击?攻击?攻击???????

大家都没有遇到这种情况吗?
 楼主| 发表于 2004-2-23 19:08:39 | 显示全部楼层
斑竹能否帮我分析一下吗?
发表于 2004-2-24 12:23:24 | 显示全部楼层
utmpdump 中显示有IP登录事件是登录成功的。但奇怪的是显示是从console口登录。一般象Xserver才从用console,我认为,所以这两行像是有问题。 后面的message信息以应该没事, 系统中应是装了gstreamer.
 楼主| 发表于 2004-2-24 13:21:37 | 显示全部楼层
"gstreamer",这是什么?
128.99.1.64  为美国的一个IP地址。

近日再看[美] Michael Jang蓍的《Mastering Red Hat Linux 9(中文名:红帽Linux 9 从入门到精通)》一书,书中第13章管理细节讲到关于探测远程登录,用utmpwtmp /var/log/wtmp 查看情况,书中举的一个黑客的IP例子,也正是这个IP。

由于这是我个人的机子,不存在远程登录用户,既然有人远程登录我的机子,那肯定是黑客了。

请大家帮我,能否查出它都干了什么?
 楼主| 发表于 2004-2-24 18:33:38 | 显示全部楼层
请大家帮助!!!
发表于 2006-8-9 15:31:49 | 显示全部楼层
Post by wanglei_hb
"gstreamer",这是什么?
128.99.1.64  为美国的一个IP地址。

近日再看[美] Michael Jang蓍的《Mastering Red Hat Linux 9(中文名:红帽Linux 9 从入门到精通)》一书,书中第13章管理细节讲到关于探测远程登录,用utmpwtmp /var/log/wtmp 查看情况,书中举的一个黑客的IP例子,也正是这个IP。


这还真巧,哈哈.
就好像电影里主角的手机号码和我的一样,搞笑.
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表