Hi,
We have had root logins from an unknown IP a few times in the last few hours. Nothing seems to have been changed or damaged. This one was not a brute force attempt. So it could be someone in the organisation, legitimately logging in, but finding out who takes time in a company - and some damage can be done by then.
The damage could be insidious, hidden - installation of some rogue software / script / etc.
1. First thing I did was to change the root password.
2. Next, I plan to install and run rkhunter (which, yes, wasn't installed, so my bad). I have read that if root is compromised then a worst case scenario is that system binaries and even an installed rkhunter can be compromised/modified. So luckily in that sense, rkhunter is now reliable
3. I have CSF+LFD running which is how I found out in the first place.
But the interesting thing is that in CSF, there is the option LF_INTEGRITY which I *definitely* had set to enabled, and it now shows the red "Warning" message.
I had to put CSF back into "Testing" mode for a while - does this disable LF_INTEGRITY checking automatically?
PT_SKIP_HTTP and PT_ALL_USERS are also not in force ("Warning")
Do these three have to re-enabled every time when setting Testing to 0?
4. Brute force login attempts from rogue IP ranges is a very common daily occurrence with us now. CpHulk seems to discourage those fairly well (30 tries = banned for 15 days)
We have, of course, backed up everything offline.
Any other suggestions?
Thanks in advance,
Dave
We have had root logins from an unknown IP a few times in the last few hours. Nothing seems to have been changed or damaged. This one was not a brute force attempt. So it could be someone in the organisation, legitimately logging in, but finding out who takes time in a company - and some damage can be done by then.
The damage could be insidious, hidden - installation of some rogue software / script / etc.
1. First thing I did was to change the root password.
2. Next, I plan to install and run rkhunter (which, yes, wasn't installed, so my bad). I have read that if root is compromised then a worst case scenario is that system binaries and even an installed rkhunter can be compromised/modified. So luckily in that sense, rkhunter is now reliable
3. I have CSF+LFD running which is how I found out in the first place.
But the interesting thing is that in CSF, there is the option LF_INTEGRITY which I *definitely* had set to enabled, and it now shows the red "Warning" message.
I had to put CSF back into "Testing" mode for a while - does this disable LF_INTEGRITY checking automatically?
PT_SKIP_HTTP and PT_ALL_USERS are also not in force ("Warning")
Do these three have to re-enabled every time when setting Testing to 0?
4. Brute force login attempts from rogue IP ranges is a very common daily occurrence with us now. CpHulk seems to discourage those fairly well (30 tries = banned for 15 days)
We have, of course, backed up everything offline.
Any other suggestions?
Thanks in advance,
Dave