Search This Blog

Thursday, January 21, 2010

How to check if hacker try to hack your site - Ubuntu?

1, Check the log
less /var/log/auth.log

Here is part of this file

Jan 21 02:57:52 SS sshd[7749]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:57:54 SS sshd[7749]: Failed password for root from 222.73.68.164 port 47502 ssh2
Jan 21 02:57:57 SS sshd[7751]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:57:58 SS sshd[7751]: Failed password for root from 222.73.68.164 port 47809 ssh2



Jan 21 02:58:00 SS sshd[7753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:02 SS sshd[7753]: Failed password for root from 222.73.68.164 port 48078 ssh2
Jan 21 02:58:05 SS sshd[7755]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:07 SS sshd[7755]: Failed password for root from 222.73.68.164 port 48385 ssh2
Jan 21 02:58:09 SS sshd[7757]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:11 SS sshd[7757]: Failed password for root from 222.73.68.164 port 48674 ssh2
Jan 21 02:58:13 SS sshd[7759]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:15 SS sshd[7759]: Failed password for root from 222.73.68.164 port 48969 ssh2
Jan 21 02:58:17 SS sshd[7761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:19 SS sshd[7761]: Failed password for root from 222.73.68.164 port 49265 ssh2
Jan 21 02:58:21 SS sshd[7763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:23 SS sshd[7763]: Failed password for root from 222.73.68.164 port 49572 ssh2
Jan 21 02:58:30 SS sshd[7765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:32 SS sshd[7765]: Failed password for root from 222.73.68.164 port 49857 ssh2
Jan 21 02:58:34 SS sshd[7767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:36 SS sshd[7767]: Failed password for root from 222.73.68.164 port 50415 ssh2

You can see this guy 222.73.68.164 try to logon to my server using ssh.
I am not going to blame this guy, because he mostly is a victim.

2, file system integrity check
Using linux command find to find which files have been changed in the past 24 hours

find /var/www/ -mmin -1440 | more

3, send this log to you
You may want to receive this log by email.
First, save find result to a file
find /var/www/ -mmin -1440 > file_changed
Second, email this log file to you
"/usr/sbin/sendmail -v 'xxxxxxxx@gmail.com' < file_changed"
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)