Re: [opensuse] access logs on Nov 30
![](https://seccdn.libravatar.org/avatar/28fb60f36a5c05d6e95d00be1c0c257c.jpg?s=120&d=mm&r=g)
Le 13/12/2016 à 18:14, Darin Perusich a écrit :
Check the owner/group/time-stamps of these malicious files
I was sure I could make an error... I copied out the faulty folder, but didn't do this as root and so the owner is no more the initial one. At first glance I only noted the date (nov 30) and try and
correlate those with entries in your ftp/apache/susefirewall/app logs.
yes but where are these logs. No "ftp" in /var/logs. Probably some syntax with journalctl I certainly have them for the FW yes, I have them and for the dedicated day. but there are 15223 lines... how can I find the lines giving access to the computer? what have I to search for?
If you don't have logging enabled for said app then shame on you, if log entries for those times are "missing" you've been pwned. Don't forget logs from your router, if you're storing them, since they may also be able to help correlate the connections/activity.
it's a hosted computer, online, no router thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/25983f2ffe32e6632742b50c1a959c8b.jpg?s=120&d=mm&r=g)
On Tue, Dec 13, 2016 at 12:43 PM, jdd <jdd@dodin.org> wrote:
Le 13/12/2016 à 18:14, Darin Perusich a écrit :
Check the owner/group/time-stamps of these malicious files
I was sure I could make an error... I copied out the faulty folder, but didn't do this as root and so the owner is no more the initial one.
At first glance I only noted the date (nov 30)
and try and
correlate those with entries in your ftp/apache/susefirewall/app logs.
yes but where are these logs. No "ftp" in /var/logs. Probably some syntax with journalctl I certainly have them for the FW
Check your ftp daemon config to see what file or syslog service is uses to save logs, they may just be in /var/log/messages
yes, I have them and for the dedicated day. but there are 15223 lines... how can I find the lines giving access to the computer? what have I to search for?
In the FW logs grep for SPT=21, source port 21/ftp, to limit to only those connections and review the SRC=x.x.x.x address for the host that initiated those connection. Then it becomes a game of tracking down who owns that address, looking at for other log entries from the address, etc.
If you don't have logging enabled for said app then shame on you, if log entries for those times are "missing" you've been pwned. Don't forget logs from your router, if you're storing them, since they may also be able to help correlate the connections/activity.
it's a hosted computer, online, no router
thanks jdd
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/28fb60f36a5c05d6e95d00be1c0c257c.jpg?s=120&d=mm&r=g)
Le 13/12/2016 à 19:06, Darin Perusich a écrit :
In the FW logs grep for SPT=21, source port 21/ftp, to limit to only those connections
yes. and I guess only the "ACC" mean accepted? like this one: 2016-11-30T16:45:16.136115+01:00 ks311900 kernel: SFW2-INext-ACC-TCP (...) SRC=163.172.66.5 DST=188.xxx LEN=60 TOS=0x02 PREC=0x00 TTL=58 ID=63972 DF PROTO=TCP SPT=21834 DPT=80 WINDOW=29200 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B40402080A4540D5330000000001030307) vstpd may not be so secure, after all I almost never use it, I will stop it thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/28fb60f36a5c05d6e95d00be1c0c257c.jpg?s=120&d=mm&r=g)
Le 13/12/2016 à 19:53, jdd a écrit :
Le 13/12/2016 à 19:06, Darin Perusich a écrit :
In the FW logs grep for SPT=21, source port 21/ftp, to limit to only those connections
yes. and I guess only the "ACC" mean accepted? like this one:
2016-11-30T16:45:16.136115+01:00 ks311900 kernel: SFW2-INext-ACC-TCP (...) SRC=163.172.66.5 DST=188.xxx LEN=60 TOS=0x02 PREC=0x00 TTL=58 ID=63972 DF PROTO=TCP SPT=21834 DPT=80 WINDOW=29200 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B40402080A4540D5330000000001030307)
my error. I was following an advice found on the net. The most important for this is not the source port (the one of the client) but my own port (my server's one), so DPT, not SPT. And then, I didn't notice grep did found SPT=21834, not SPT=21, due to the lack of the -w option so this mean the firewall (suse one) did accept to connect a browser to my web server, perfectly normal grep -w DPT=21 didn't show anything at the date thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-12-13 19:06, Darin Perusich wrote:
On Tue, Dec 13, 2016 at 12:43 PM, jdd <> wrote:
yes but where are these logs. No "ftp" in /var/logs. Probably some syntax with journalctl I certainly have them for the FW
Check your ftp daemon config to see what file or syslog service is uses to save logs, they may just be in /var/log/messages
which may mean journalctl. Scan for the user name of the account in journalctl or /var/messages. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlhQT9YACgkQja8UbcUWM1zvaQEAllYksRsX4UGVU9WuucA5o0mB eyfn3G1Faytw6c7/deoA/1RppV33NFhvWlqewoAInwdoTmrEh4+zQ4EZv/6USpvU =GjTv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Carlos E. R.
-
Darin Perusich
-
jdd