Discussion in 'Server Operation' started by QPRWinst, Nov 22, 2010.

  1. QPRWinst

    QPRWinst New Member

    Afternoon all

    After a week off work, came in this morning and discovered that the administrator password had been changed on my server.

    As i'm the only one with any Linux knowledge this is a bit worrying.

    What I would like to know is what logs should I examine and where are they found?

    My setup is based on the perfect ubuntu server 10.04.

  2. falko

    falko Super Moderator ISPConfig Developer

    Do you have fail2ban installed? If not, I strongly recommend to install it.

    Also, please run chkrootkit and/or rkhunter to find out if there's malware installed on your computer.
  3. QPRWinst

    QPRWinst New Member


    yes fail2ban is installed, and chkrootkit reported all good. rkhunter came back with warnings but they all look good.

    where would i find a ftp or ssh log? as if i was hacked that would be the access point i think. (have disabled wan access, allowing local access for now).
  4. falko

    falko Super Moderator ISPConfig Developer

    The logs are in the /var/log/ directory.
  5. QPRWinst

    QPRWinst New Member

    Thanks for that.

    Have looked through a load of logs but I cant find anything. Can't even find my own ssh logins?

    Found a load of pureftpd log entries and all attempted connections were closed within the same second, but where do i find the ssh logins? if you could give me a file name to look for it would be appreciated.

  6. damir

    damir New Member

    SSH sometimes logs to /vat/log/auth.log
  7. lqman

    lqman New Member

    I often check my "generic" log files
    and "service-based" log files
    especially this one
    Failed login to your host
    cat /var/log/auth.log | grep Failed
    Succesfull login to your host
    cat /var/log/auth.log | grep Accept
    you will surprised with bruteforce attack
  8. sjau

    sjau Local Meanie Moderator

    if you're unsure whether you got hacked, then you have to resetup the machine again. You can't trust anything anymore on there.

Share This Page