SOLVED netstat - ESTABLISHED = LOGIN?, and how we can get the USERNAME used for that connection?

000

Well-Known Member
Jun 3, 2008
242
8
68
hello,
we run
Bash:
[[email protected] ~]# netstat -tan | grep \:22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 pepsiserver:22        150.158.111.251:33848   ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN
[[email protected] ~]#
then we seek 150.158.111.251 and this is CHINA hackers!

After we see LOGS:
Code:
[[email protected] ~]# egrep -Ri '150.158.111.251' /var/log/*
/var/log/messages-20200719:Jul 18 02:37:00 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=53906 DPT=7547 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages-20200719:Jul 18 03:14:10 pepsi pure-ftpd: ([email protected]) [INFO] New connection from 150.158.111.251
/var/log/messages-20200719:Jul 18 03:14:40 pepsi pure-ftpd: ([email protected]) [INFO] Logout.
/var/log/messages-20200719:Jul 18 04:54:42 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=45654 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages-20200719:Jul 18 05:14:00 pepsi kernel: Firewall: *TCP_IN Blocked* IN=enp5s0 OUT= MAC=00:25:90:0e:9f:95:74:8e:f8:53:c6:80:08:00 SRC=150.158.111.251 DST=server.pepsi LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=56306 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/mysqld.log:2020-05-01T12:48:17.458739Z 619627 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/mysqld.log:2020-05-02T20:32:31.066314Z 4077 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/mysqld.log:2020-05-08T01:10:01.512974Z 57067 [Warning] IP address '150.158.111.251' has been resolved to the host name '31.20.97.83.ro.ovo.sc', which resembles IPv4-address itself.
/var/log/secure:Jul 19 05:27:45 pepsi sshd[24158]: Did not receive identification string from 150.158.111.251 port 24028
/var/log/secure:Jul 24 06:04:21 pepsi sshd[18562]: Did not receive identification string from 150.158.111.251 port 42209
/var/log/secure-20200628:Jun 21 16:58:20 pepsi sshd[11576]: Did not receive identification string from 150.158.111.251 port 43431
[[email protected] ~]#
then this show as X user have compromised the password, but how know what user??

How we can know username USED for login in server?

Thanks
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
What is output when you run the command as follows:

Code:
who
It should list active user sessions and the username they're logged in with.

All you get in messages for logins is something like the following:
Code:
Jul 24 14:05:20 server systemd-logind: New session 15601 of user root.
If the user isn't logged in still you could search /var/log/secure for the IP which would show the attempts and username
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Well if the user logged in you'd have output in the logs like the following from /var/log/messages

Code:
Jul 24 14:37:54 server pure-ftpd: ([email protected]<myipaddress>) [INFO] New connection from <myipaddress>
Jul 24 14:37:59 server pure-ftpd: ([email protected]<myipaddress>) [INFO] lauren is now logged in
What that login looks like is a login attempt that failed.