SOLVED netstat - ESTABLISHED = LOGIN?, and how we can get the USERNAME used for that connection?

[000]

hello,
we run

[[email protected] ~]# netstat -tan | grep \:22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 pepsiserver:22        150.158.111.251:33848   ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN
[[email protected] ~]#

then we seek 150.158.111.251 and this is CHINA hackers!

After we see LOGS:

[[email protected] ~]# egrep -Ri '150.158.111.251' /var/log/*
/var/log/messages-20200719:Jul 18 02:37:00 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=53906 DPT=7547 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages-20200719:Jul 18 03:14:10 pepsi pure-ftpd: ([email protected]) [INFO] New connection from 150.158.111.251
/var/log/messages-20200719:Jul 18 03:14:40 pepsi pure-ftpd: ([email protected]) [INFO] Logout.
/var/log/messages-20200719:Jul 18 04:54:42 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=45654 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages-20200719:Jul 18 05:14:00 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=56306 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/mysqld.log:2020-05-01T12:48:17.458739Z 619627 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/mysqld.log:2020-05-02T20:32:31.066314Z 4077 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/mysqld.log:2020-05-08T01:10:01.512974Z 57067 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/secure:Jul 19 05:27:45 pepsi sshd[24158]: Did not receive identification string from 150.158.111.251 port 24028
/var/log/secure:Jul 24 06:04:21 pepsi sshd[18562]: Did not receive identification string from 150.158.111.251 port 42209
/var/log/secure-20200628:Jun 21 16:58:20 pepsi sshd[11576]: Did not receive identification string from 150.158.111.251 port 43431
[[email protected] ~]#

then this show as X user have compromised the password, but how know what user??

How we can know username USED for login in server?

Thanks

 

[cPanelLauren]

What is output when you run the command as follows:

who

It should list active user sessions and the username they're logged in with.

All you get in messages for logins is something like the following:

Jul 24 14:05:20 server systemd-logind: New session 15601 of user root.

If the user isn't logged in still you could search /var/log/secure for the IP which would show the attempts and username

 

[000]

What is output when you run the command as follows:

who

Thanks, I believe who is only for connections SSH.

I forget say this is about connections FTP.

[[email protected] ~]# who
root     pts/0        2020-07-24 12:48 (my.office)
[[email protected] ~]#

but this TODAY.

Thanks by your orientation about this possible threat.

 

[cPanelLauren]

Well if the user logged in you'd have output in the logs like the following from /var/log/messages

Jul 24 14:37:54 server pure-ftpd: ([email protected]<myipaddress>) [INFO] New connection from <myipaddress>
Jul 24 14:37:59 server pure-ftpd: ([email protected]<myipaddress>) [INFO] lauren is now logged in

What that login looks like is a login attempt that failed.

 

[000]

What that login looks like is a login attempt that failed.

Many thanks by give pace to my mind . . .

 

[000]

PEACE !!

 

[cPanelLauren]

I'll go ahead and mark this as resolved