Permettendo il fatto che gli unici server aperti sono:
Ftp, con account ristretti
apache
sshd, con un unico account, che non è root.
Se posto cat /var/log/messages, mi da:
Codice: Seleziona tutto
Oct 24 23:54:38 b2s /usr/sbin/gpm[2285]: imps2: Auto-detected intellimouse PS/2
Oct 25 00:14:20 b2s -- MARK --
Oct 25 00:34:20 b2s -- MARK --
Oct 25 00:54:20 b2s -- MARK --
Oct 25 01:14:20 b2s -- MARK --
Oct 25 01:34:20 b2s -- MARK --
Oct 25 01:54:20 b2s -- MARK --
Oct 25 02:14:20 b2s -- MARK --
Oct 25 02:34:20 b2s -- MARK --
Oct 25 02:54:20 b2s -- MARK --
Oct 25 03:14:21 b2s -- MARK --
Oct 25 03:34:21 b2s -- MARK --
Oct 25 03:54:21 b2s -- MARK --
Oct 25 04:14:21 b2s -- MARK --
Oct 25 04:34:21 b2s -- MARK --
Oct 25 04:54:21 b2s -- MARK --
Oct 25 05:14:21 b2s -- MARK --
Oct 25 05:34:21 b2s -- MARK --
Oct 25 05:54:21 b2s -- MARK --
Oct 25 06:14:21 b2s -- MARK --
Oct 25 06:34:21 b2s -- MARK --
Oct 25 06:54:21 b2s -- MARK --
Oct 25 07:14:21 b2s -- MARK --
Oct 25 07:34:22 b2s -- MARK --
Oct 25 07:54:22 b2s -- MARK --
Oct 25 08:14:22 b2s -- MARK --
Oct 25 08:34:22 b2s -- MARK --
Oct 25 08:54:22 b2s -- MARK --
Oct 25 09:14:22 b2s -- MARK --
Oct 25 09:34:22 b2s -- MARK --
Oct 25 09:54:22 b2s -- MARK --
Oct 25 10:14:22 b2s -- MARK --
Oct 25 10:34:22 b2s -- MARK --
Oct 25 10:54:22 b2s -- MARK --
Oct 25 11:14:22 b2s -- MARK --
Oct 25 11:34:23 b2s -- MARK --
Oct 25 11:54:23 b2s -- MARK --
Oct 25 12:14:23 b2s -- MARK --
Oct 25 12:34:23 b2s -- MARK --
Oct 25 12:54:23 b2s -- MARK --
Oct 25 13:14:23 b2s -- MARK --
Oct 25 13:34:23 b2s -- MARK --
Oct 25 13:48:17 b2s sshd[5600]: Did not receive identification string from 83.64.191.62
Oct 25 13:49:36 b2s sshd[5605]: User root from 83-64-191-62.paris-lodron.xdsl-line.inode.at not allowed because not listed in AllowUsers
Oct 25 13:49:36 b2s sshd[5606]: input_userauth_request: invalid user root
Oct 25 13:49:36 b2s sshd[5605]: Failed password for invalid user root from 83.64.191.62 port 3197 ssh2
Oct 25 14:14:23 b2s -- MARK --
Oct 25 14:34:23 b2s -- MARK --
Oct 25 14:54:23 b2s -- MARK --
Oct 25 15:14:23 b2s -- MARK --
Oct 25 15:34:24 b2s -- MARK --
Oct 25 15:54:24 b2s -- MARK --
Oct 25 16:14:24 b2s -- MARK --
Oct 25 16:34:24 b2s -- MARK --
Oct 25 16:54:24 b2s -- MARK --
Oct 25 17:14:24 b2s -- MARK --
Oct 25 17:34:24 b2s -- MARK --
Oct 25 17:54:24 b2s -- MARK --
Oct 25 18:14:24 b2s -- MARK --
Oct 25 18:34:24 b2s -- MARK --
Oct 25 18:54:24 b2s -- MARK --
Oct 25 19:14:24 b2s -- MARK --
Oct 25 19:34:25 b2s -- MARK --
Oct 25 19:54:25 b2s -- MARK --
Oct 25 20:04:01 b2s named[2155]: unexpected RCODE (SERVFAIL) resolving 'ns.ovh.net/AAAA/IN': 212.27.32.132#53
Oct 25 20:14:25 b2s -- MARK --
Oct 25 20:34:25 b2s -- MARK --
Oct 25 20:45:19 b2s named[2155]: lame server resolving 'www.eea.europa.eu' (in 'eea.europa.EU'?): 217.74.208.67#53
Oct 25 21:00:00 b2s init: Switching to runlevel: 0
Oct 25 21:00:01 b2s /usr/sbin/gpm[2285]: *** info [mice.c(1766)]:
Oct 25 21:00:01 b2s /usr/sbin/gpm[2285]: imps2: Auto-detected intellimouse PS/2
Oct 25 21:00:06 b2s sshd[2152]: Received signal 15; terminating.
Oct 25 21:00:06 b2s logger: /etc/rc.d/rc.inet1: /sbin/route del default
Oct 25 21:00:06 b2s logger: /etc/rc.d/rc.inet1: /sbin/ifconfig eth0 down
Oct 25 21:00:06 b2s logger: /etc/rc.d/rc.inet1: /sbin/ifconfig eth1 down
Oct 25 21:00:06 b2s logger: /etc/rc.d/rc.inet1: /sbin/ifconfig lo down
Oct 25 21:00:06 b2s exiting on signal 15
Oct 26 00:09:35 b2s syslogd 1.4.1: restart.
Improvvisamente però, alle 21 è andato da solo in runlevel 0 e 6 secondi dopo sshd termina.
Secondo voi, ho avuto un attacco non rilevato??? oppure la mia slack 11 è impazzita dopo neanche un mese???