Log Analysis: Analysis on Auth.log

This entry may assist Incident Handlers to analyse the brute-force attacks that may leverage on SSH protocol.

Overview of auth.log

—————————-

fikri~$ cat auth.log | head

Mar 16 08:12:04 app-1 login[4659]: pam_unix(login:session): session opened for user user3 by LOGIN(uid=0)

Mar 16 08:12:09 app-1 sudo: user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su

Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)

Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session closed for user root

Mar 16 08:12:09 app-1 su[4679]: Successful su for root by root

Mar 16 08:12:09 app-1 su[4679]: + tty1 root:root

Mar 16 08:12:09 app-1 su[4679]: pam_unix(su:session): session opened for user root by user3(uid=0)

Mar 16 08:12:13 app-1 groupadd[4691]: new group: name=user4, GID=1001

Mar 16 08:12:13 app-1 useradd[4692]: new user: name=user4, UID=1001, GID=1001, home=/home/user4, shell=/bin/bash

Mar 16 08:12:17 app-1 passwd[4695]: pam_unix(passwd:chauthtok): password changed for user4

Filter for Invalid User access

—————————————

fikri~$ cat auth.log | grep 'Invalid user' | head

Apr 19 04:36:49 app-1 sshd[6990]: Invalid user tomcat from 203.81.226.86

Apr 19 05:19:08 app-1 sshd[7169]: Invalid user admin from 58.17.30.49

Apr 19 05:22:10 app-1 sshd[7259]: Invalid user tina from 58.17.30.49

Apr 19 05:22:14 app-1 sshd[7261]: Invalid user tom from 58.17.30.49

Apr 19 05:22:19 app-1 sshd[7263]: Invalid user tom from 58.17.30.49

Apr 19 05:22:23 app-1 sshd[7265]: Invalid user toor from 58.17.30.49

Apr 19 05:22:28 app-1 sshd[7267]: Invalid user tour from 58.17.30.49

Apr 19 05:22:32 app-1 sshd[7269]: Invalid user tour from 58.17.30.49

Apr 19 05:22:36 app-1 sshd[7271]: Invalid user tracy from 58.17.30.49

Apr 19 05:22:41 app-1 sshd[7273]: Invalid user tracy from 58.17.30.49

fikri~$ grep -B 3 -A 2 'Invalid user' auth.log

Apr 19 04:36:38 app-1 sshd[6986]: Failed password for root from 203.81.226.86 port 58431 ssh2

Apr 19 04:36:41 app-1 sshd[6988]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.mediamonitors.com.pk user=root

Apr 19 04:36:43 app-1 sshd[6988]: Failed password for root from 203.81.226.86 port 58778 ssh2

Apr 19 04:36:49 app-1 sshd[6990]: Invalid user tomcat from 203.81.226.86

Apr 19 04:36:49 app-1 sshd[6990]: pam_unix(sshd:auth): check pass; user unknown

Apr 19 04:36:49 app-1 sshd[6990]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.mediamonitors.com.pk

Filter for authentication failure

————————————

fikri~$ grep 'authentication failure' auth.log | cut -d '=' -f 8

root

user2

root

user1

Attacker who gained root access

————————————

fikri~$ cat auth.log | grep 'Invalid user' | grep 'root'

Apr 19 05:38:30 app-1 sshd[7792]: Invalid user nfsroot from 58.17.30.49

Apr 19 05:38:35 app-1 sshd[7810]: Invalid user webroot from 58.17.30.49

Apr 19 05:38:39 app-1 sshd[7828]: Invalid user anonftproot from 58.17.30.49

Apr 19 05:38:44 app-1 sshd[7851]: Invalid user rootkloots from 58.17.30.49

Apr 19 05:54:06 app-1 sshd[12639]: Invalid user webroot from 219.150.161.20

Apr 19 05:55:00 app-1 sshd[12913]: Invalid user webroot from 219.150.161.20

Apr 19 06:10:31 app-1 sshd[15885]: Invalid user cvsroot from 219.150.161.20

Apr 19 06:10:34 app-1 sshd[15891]: Invalid user cvsroot from 219.150.161.20

Apr 19 06:10:38 app-1 sshd[15897]: Invalid user cvsroot from 219.150.161.20

Apr 19 06:10:42 app-1 sshd[15903]: Invalid user cvsroot from 219.150.161.20

Apr 19 06:14:49 app-1 sshd[16296]: Invalid user cvsroot from 219.150.161.20

Apr 19 06:14:53 app-1 sshd[16302]: Invalid user cvsroot from 219.150.161.20

Apr 19 06:14:56 app-1 sshd[16307]: Invalid user cvsroot from 219.150.161.20

Apr 19 06:15:00 app-1 sshd[16313]: Invalid user cvsroot from 219.150.161.20

Apr 19 06:18:15 app-1 sshd[16590]: Invalid user root0 from 219.150.161.20

Apr 19 06:18:19 app-1 sshd[16594]: Invalid user root0 from 219.150.161.20

Apr 19 06:18:22 app-1 sshd[16598]: Invalid user root0 from 219.150.161.20

Apr 19 06:22:29 app-1 sshd[16864]: Invalid user root0 from 219.150.161.20

Apr 19 06:22:33 app-1 sshd[16868]: Invalid user root0 from 219.150.161.20

Apr 19 06:22:37 app-1 sshd[16872]: Invalid user root0 from 219.150.161.20

Apr 23 17:25:10 app-1 sshd[17988]: Invalid user ioroot from 124.207.117.9

Apr 23 17:25:14 app-1 sshd[17990]: Invalid user ioroot from 124.207.117.9

Apr 23 17:25:18 app-1 sshd[17992]: Invalid user ioroot from 124.207.117.9

Apr 23 17:25:22 app-1 sshd[17994]: Invalid user ioroot from 124.207.117.9

Apr 24 13:35:19 app-1 sshd[27037]: Invalid user rooter from 8.12.45.242

Apr 24 13:54:42 app-1 sshd[28095]: Invalid user testroot from 8.12.45.242

Apr 24 13:54:44 app-1 sshd[28097]: Invalid user rootest from 8.12.45.242

Apr 24 13:54:48 app-1 sshd[28101]: Invalid user adminroot from 8.12.45.242

Apr 24 14:12:23 app-1 sshd[29084]: Invalid user 123root321 from 8.12.45.242

Apr 24 14:12:25 app-1 sshd[29086]: Invalid user 123root123 from 8.12.45.242

Apr 24 14:12:26 app-1 sshd[29088]: Invalid user root123456 from 8.12.45.242

Apr 24 14:12:28 app-1 sshd[29090]: Invalid user root1234 from 8.12.45.242

Apr 24 14:12:31 app-1 sshd[29092]: Invalid user root12345 from 8.12.45.242

Apr 24 14:20:45 app-1 sshd[29552]: Invalid user root321 from 8.12.45.242

Apr 24 14:20:47 app-1 sshd[29554]: Invalid user root123 from 8.12.45.242

See all of the IP's in the logs by adding sort and uniq to our command

———————————————————————————————

fikri~$ cat auth.log | grep 'Invalid user' | cut -d " " -f 10 | sort | uniq

114.80.166.219

116.6.19.70

121.11.66.70

122.165.9.200

122.226.202.12

124.207.117.9

124.51.108.68

125.235.4.130

173.9.147.165

190.166.87.164

201.64.234.2

203.81.226.86

210.68.70.170

211.154.254.248

217.15.55.133

218.56.61.114

219.150.161.20

220.170.79.247

222.169.224.197

222.66.204.246

24.192.113.91

24.94.90.96

58.17.30.49

59.46.39.148

61.168.227.12

65.208.122.48

8.12.45.242

83.216.63.124

See who was most persistent at trying to access

——————————————————————

7574 219.150.161.20

2842 8.12.45.242

1063 222.66.204.246

522 124.207.117.9

457 222.169.224.197

382 217.15.55.133

345 211.154.254.248

300 65.208.122.48

185 122.226.202.12

154 124.51.108.68

135 24.192.113.91

135 210.68.70.170

96 173.9.147.165

85 125.235.4.130

60 116.6.19.70

48 201.64.234.2

23 114.80.166.219

20 61.168.227.12

17 58.17.30.49

9 59.46.39.148

6 218.56.61.114

6 121.11.66.70

5 122.165.9.200

3 24.94.90.96

2 83.216.63.124

2 220.170.79.247

1 203.81.226.86

1 190.166.87.164

Cheers :)

Search This Blog

Fikiran Melayang Lagi..!

Log Analysis: Analysis on Auth.log

Comments

Post a Comment

Popular posts from this blog

Port Scanning, Intrusion Detections, and Packet Analysis by Using Nmap, Snort and Wireshark

Penetration Testing on Windows XP SP2/ SP3 by Exploiting a Vulnerability in Windows Samba Service {ms08-67}.

Malware Analysis Part 2: Using RemNux