Afternoon all After a week off work, came in this morning and discovered that the administrator password had been changed on my server. As i'm the only one with any Linux knowledge this is a bit worrying. What I would like to know is what logs should I examine and where are they found? My setup is based on the perfect ubuntu server 10.04. Cheers
Do you have fail2ban installed? If not, I strongly recommend to install it. Also, please run chkrootkit and/or rkhunter to find out if there's malware installed on your computer.
hiya yes fail2ban is installed, and chkrootkit reported all good. rkhunter came back with warnings but they all look good. where would i find a ftp or ssh log? as if i was hacked that would be the access point i think. (have disabled wan access, allowing local access for now).
Thanks for that. Have looked through a load of logs but I cant find anything. Can't even find my own ssh logins? Found a load of pureftpd log entries and all attempted connections were closed within the same second, but where do i find the ssh logins? if you could give me a file name to look for it would be appreciated. Cheers
I often check my "generic" log files and "service-based" log files especially this one Failed login to your host Code: cat /var/log/auth.log | grep Failed Succesfull login to your host Code: cat /var/log/auth.log | grep Accept you will surprised with bruteforce attack
if you're unsure whether you got hacked, then you have to resetup the machine again. You can't trust anything anymore on there.
