I've since applied Leifs firewall rules on posts 22 and 21 but I need some advice on log activity entries related to brute force breakin.
Could someone explain this entry, it's obviously the hacker, as I don't htink IP tables will address it:
"Nov 6 06:32:31 a100 /usr/sbin/httpd: gethostby*.getanswer: asked for "gawain.soc.staffs.ac.uk IN A", got type "39" "
I saw a number of these sandwiched in the annoying:
"Nov 7 07:55:22 ns1 userhelper: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown' Nov 7 07:55:22 ns1 userhelper: running '/usr/sbin/up2date -l --showall' with root privileges on behalf of 'root' "
" Nov 7 08:30:04 a100 su(pam_unix): session opened for user postgres by (uid=0) Nov 7 08:30:04 a100 su(pam_unix): session closed for user postgres "
every 5 minutes.
I've seen this stuff where the hackers came in and established httpd services off server by way of IRC connection. We don't have IRC services and we're back, I think, dealing with PHP scripting. They are particularly prone to this box.
Any security savy takers.