Thursday, January 21, 2010

How to check if hacker try to hack your site - Ubuntu?

1, Check the log
less /var/log/auth.log

Here is part of this file

Jan 21 02:57:52 SS sshd[7749]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:57:54 SS sshd[7749]: Failed password for root from 222.73.68.164 port 47502 ssh2
Jan 21 02:57:57 SS sshd[7751]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:57:58 SS sshd[7751]: Failed password for root from 222.73.68.164 port 47809 ssh2



Jan 21 02:58:00 SS sshd[7753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:02 SS sshd[7753]: Failed password for root from 222.73.68.164 port 48078 ssh2
Jan 21 02:58:05 SS sshd[7755]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:07 SS sshd[7755]: Failed password for root from 222.73.68.164 port 48385 ssh2
Jan 21 02:58:09 SS sshd[7757]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:11 SS sshd[7757]: Failed password for root from 222.73.68.164 port 48674 ssh2
Jan 21 02:58:13 SS sshd[7759]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:15 SS sshd[7759]: Failed password for root from 222.73.68.164 port 48969 ssh2
Jan 21 02:58:17 SS sshd[7761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:19 SS sshd[7761]: Failed password for root from 222.73.68.164 port 49265 ssh2
Jan 21 02:58:21 SS sshd[7763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:23 SS sshd[7763]: Failed password for root from 222.73.68.164 port 49572 ssh2
Jan 21 02:58:30 SS sshd[7765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:32 SS sshd[7765]: Failed password for root from 222.73.68.164 port 49857 ssh2
Jan 21 02:58:34 SS sshd[7767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:36 SS sshd[7767]: Failed password for root from 222.73.68.164 port 50415 ssh2

You can see this guy 222.73.68.164 try to logon to my server using ssh.
I am not going to blame this guy, because he mostly is a victim.

2, file system integrity check
Using linux command find to find which files have been changed in the past 24 hours

find /var/www/ -mmin -1440 | more

3, send this log to you
You may want to receive this log by email.
First, save find result to a file
find /var/www/ -mmin -1440 > file_changed
Second, email this log file to you
"/usr/sbin/sendmail -v 'xxxxxxxx@gmail.com' < file_changed"
at
Labels:

1 comment:

  1. mubeenOctober 17, 2021 at 12:58 AM

    Thanks for taking the time to discuss that, I feel strongly about this and so really like getting to know more on this kind of field. Do you mind updating your blog post with additional insight? It should be really useful for all of us. remote hack

    ReplyDelete

Subscribe to: Post Comments (Atom)