Je m'interroge sur ce type d'info trouvée dans /var/log/auth.log.
Y a t'il tentative d'intrusion où est ce une action cron automatique ?
Chez vous, est-ce similaire ?
Dans le bloc code ci-dessous, j'ai supprimé beaucoup de lignes identiques pour ne pas trop surcharger.
Code : Tout sélectionner
Jun 4 13:47:39 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:47:41 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:47:41 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:47:41 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:47:43 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:47:43 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:47:43 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:47:43 debian sshd[16994]: Invalid user gitolite3 from 188.166.1.95 port 55235
Jun 4 13:47:43 debian sshd[16994]: input_userauth_request: invalid user gitolite3 [preauth]
Jun 4 13:47:43 debian sshd[16994]: pam_unix(sshd:auth): check pass; user unknown
Jun 4 13:47:43 debian sshd[16994]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.166.1.95
Jun 4 13:47:44 debian sshd[16994]: Failed password for invalid user gitolite3 from 188.166.1.95 port 55235 ssh2
Jun 4 13:47:44 debian sshd[16994]: Received disconnect from 188.166.1.95 port 55235:11: Bye Bye [preauth]
Jun 4 13:47:44 debian sshd[16994]: Disconnected from 188.166.1.95 port 55235 [preauth]
Jun 4 13:47:50 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:47:50 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:47:50 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:50:06 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:50:07 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:50:07 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:50:07 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:50:09 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:50:09 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:50:09 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:50:10 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:50:10 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:50:10 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:50:11 debian sshd[18661]: Invalid user master from 188.166.1.95 port 38419
Jun 4 13:50:11 debian sshd[18661]: input_userauth_request: invalid user master [preauth]
Jun 4 13:50:11 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:50:11 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:50:11 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:50:11 debian sshd[18661]: pam_unix(sshd:auth): check pass; user unknown
Jun 4 13:50:11 debian sshd[18661]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.166.1.95
Jun 4 13:50:12 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:02 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:02 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:02 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:05 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:05 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:05 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:05 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:06 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:06 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:06 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:06 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:06 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:06 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:07 debian sshd[19520]: Invalid user felix from 167.99.222.202 port 60824
Jun 4 13:51:07 debian sshd[19520]: input_userauth_request: invalid user felix [preauth]
Jun 4 13:51:07 debian sshd[19520]: pam_unix(sshd:auth): check pass; user unknown
Jun 4 13:51:07 debian sshd[19520]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.99.222.202
Jun 4 13:51:07 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:07 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:07 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:07 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:07 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:07 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:08 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:08 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:08 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:08 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:08 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:08 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:09 debian sshd[19520]: Failed password for invalid user felix from 167.99.222.202 port 60824 ssh2
Jun 4 13:51:09 debian sshd[19520]: Received disconnect from 167.99.222.202 port 60824:11: Bye Bye [preauth]
Jun 4 13:51:09 debian sshd[19520]: Disconnected from 167.99.222.202 port 60824 [preauth]
Jun 4 13:51:09 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:09 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 13:51:09 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 13:51:10 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/http.error
Jun 4 13:51:10 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
D'où proviennent toutes des IP's ? avec des logins gitolite3, felix, rhost....
Jun 4 13:47:43 debian sshd[16994]: Invalid user gitolite3 from 188.166.1.95 port 55235
Jun 4 13:47:43 debian sshd[16994]: input_userauth_request: invalid user gitolite3 [preauth]
Jun 4 13:47:43 debian sshd[16994]: pam_unix(sshd:auth): check pass; user unknown
Jun 4 13:47:43 debian sshd[16994]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.166.1.95
Jun 4 13:47:44 debian sshd[16994]: Failed password for invalid user gitolite3 from 188.166.1.95 port 55235 ssh2
Jun 4 13:47:44 debian sshd[16994]: Received disconnect from 188.166.1.95 port 55235:11: Bye Bye [preauth]
Jun 4 13:47:44 debian sshd[16994]: Disconnected from 188.166.1.95 port 55235 [preauth]
Jun 4 13:51:07 debian sshd[19520]: Invalid user felix from 167.99.222.202 port 60824
Jun 4 13:51:07 debian sshd[19520]: input_userauth_request: invalid user felix [preauth]
Jun 4 13:50:11 debian sshd[18661]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.166.1.95
Jun 4 13:51:09 debian sshd[19520]: Failed password for invalid user felix from 167.99.222.202 port 60824 ssh2
Jun 4 13:51:09 debian sshd[19520]: Received disconnect from 167.99.222.202 port 60824:11: Bye Bye [preauth]
Jun 4 13:51:09 debian sshd[19520]: Disconnected from 167.99.222.202 port 60824 [preauth]
Ce qui est curieux également et qui m'a interrogé est que j'avais dans mon log http error des infos de type
[Mon Jun 03 00:09:15.537822 2019] [mpm_prefork:notice] [pid 465] AH00171: Graceful restart requested, doing restart.
Sans que je fasse rien le log s'est vidé !!! ????
Ce fichier auth.log fait actuellement 10406 Kb et grossit continuellement. Les dernières lignes
Code : Tout sélectionner
Jun 4 16:05:09 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 16:05:11 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/cron_execution
Jun 4 16:05:11 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 16:05:11 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 16:05:12 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/cron_execution
Jun 4 16:05:12 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 16:05:12 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 16:05:13 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/cron_execution
Jun 4 16:05:13 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 16:05:13 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 16:05:14 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/cron_execution
Jun 4 16:05:14 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 16:05:14 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 16:05:15 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/cron_execution
Jun 4 16:05:15 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 16:05:15 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 16:05:16 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/cron_execution
Jun 4 16:05:16 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 16:05:16 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 16:05:17 debian sudo: www-data : TTY=unknown ; PWD=/var/www/html/core/ajax ; USER=root ; COMMAND=/bin/chmod 664 /var/www/html/core/class/../../log/cron_execution
Jun 4 16:05:17 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 16:05:17 debian sudo: pam_unix(sudo:session): session closed for user root
Les derniers messages 3h plus tard.
Code : Tout sélectionner
Jun 4 19:00:50 debian sshd[28632]: Connection closed by 47.95.12.181 port 36960 [preauth]
Jun 4 19:00:57 debian sshd[28654]: Connection closed by 121.42.15.13 port 38486 [preauth]
Jun 4 19:01:01 debian CRON[28668]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:01:03 debian CRON[28668]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:02:01 debian CRON[28912]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:02:03 debian CRON[28912]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:03:01 debian CRON[29161]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:03:03 debian CRON[29161]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:04:01 debian CRON[29413]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:04:03 debian CRON[29413]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:04:42 debian sshd[29595]: Invalid user swearer from 43.241.234.126 port 60098
Jun 4 19:04:42 debian sshd[29595]: input_userauth_request: invalid user swearer [preauth]
Jun 4 19:04:42 debian sshd[29595]: pam_unix(sshd:auth): check pass; user unknown
Jun 4 19:04:42 debian sshd[29595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.241.234.126
Jun 4 19:04:44 debian sshd[29595]: Failed password for invalid user swearer from 43.241.234.126 port 60098 ssh2
Jun 4 19:04:44 debian sshd[29595]: Received disconnect from 43.241.234.126 port 60098:11: Bye Bye [preauth]
Jun 4 19:04:44 debian sshd[29595]: Disconnected from 43.241.234.126 port 60098 [preauth]
Jun 4 19:05:01 debian CRON[29663]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:05:01 debian CRON[29662]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 4 19:05:01 debian CRON[29662]: pam_unix(cron:session): session closed for user root
Jun 4 19:05:03 debian sudo: www-data : TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=/bin/chmod 777 /dev/ttyACM0
Jun 4 19:05:03 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 19:05:03 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 19:05:04 debian CRON[29663]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:06:01 debian CRON[29990]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:06:03 debian CRON[29990]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:07:01 debian CRON[30232]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:07:03 debian CRON[30232]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:07:30 debian sshd[30371]: Invalid user ie from 43.241.234.126 port 52638
Jun 4 19:07:30 debian sshd[30371]: input_userauth_request: invalid user ie [preauth]
Jun 4 19:07:30 debian sshd[30371]: pam_unix(sshd:auth): check pass; user unknown
Jun 4 19:07:30 debian sshd[30371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.241.234.126
Jun 4 19:07:32 debian sshd[30371]: Failed password for invalid user ie from 43.241.234.126 port 52638 ssh2
Jun 4 19:08:01 debian CRON[30484]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:08:03 debian CRON[30484]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:09:01 debian CRON[30726]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:09:01 debian CRON[30725]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 4 19:09:01 debian CRON[30725]: pam_unix(cron:session): session closed for user root
Jun 4 19:09:03 debian CRON[30726]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:10:02 debian CRON[31025]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 4 19:10:02 debian CRON[31026]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:10:02 debian CRON[31025]: pam_unix(cron:session): session closed for user root
Jun 4 19:10:04 debian sudo: www-data : TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=/bin/chmod 777 /dev/ttyACM0
Jun 4 19:10:04 debian sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 4 19:10:04 debian sudo: pam_unix(sudo:session): session closed for user root
Jun 4 19:10:05 debian CRON[31026]: pam_unix(cron:session): session closed for user www-data
Jun 4 19:11:00 debian sshd[31323]: Accepted password for root from 192.168.1.38 port 1461 ssh2
Jun 4 19:11:00 debian sshd[31323]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 4 19:11:00 debian systemd-logind[348]: New session 665 of user root.
Jun 4 19:11:00 debian systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jun 4 19:11:01 debian CRON[31357]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Jun 4 19:11:03 debian CRON[31357]: pam_unix(cron:session): session closed for user www-data
Les autres, je sais pas.