Active Hack

Support for security such as Firewalls and securing linux
Post Reply
jpglaspie
Posts: 1
Joined: 2016/09/08 13:58:31

Active Hack

Post by jpglaspie » 2016/09/08 19:08:39

I have been watching the log files for about a week and below is what I keep getting. I have also gotten BruteForce attempted on the logs and even had one ip address that tried to access using a correct username but password failed. I have limited experience with CentOS. This is a unmanaged dedicated server that I have now acquired responsibility for. Any help would be appreciated.


Sep 8 13:35:06 server pam_pwdfile[31624]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:35:08 server pam_pwdfile[31624]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:35:10 server pam_pwdfile[31624]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:39:49 server pam_pwdfile[32032]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:39:52 server pam_pwdfile[32032]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:39:54 server pam_pwdfile[32032]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:49:22 server pam_pwdfile[32722]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:49:24 server pam_pwdfile[32722]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:49:26 server pam_pwdfile[32722]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:57:12 server pam_pwdfile[838]: couldn't open password file /etc/techpr oxy.shadow

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Active Hack

Post by avij » 2016/09/08 19:38:08

Those log entries you quoted look more like a misconfiguration to me. Run grep -r proxy /etc/pam.d to see where that file is configured, and then examine that file to see if it matches what you would expect.

andygwood
Posts: 1
Joined: 2016/09/14 05:54:34
Location: Louisville, KY
Contact:

Re: Active Hack

Post by andygwood » 2016/09/14 05:57:42

Having the exact same issue. The contents of that file read:

auth sufficient pam_pwdfile.so pwdfile /etc/techproxy.shadow
session optional pam_hooks.so /usr/sec/bin/remove_techproxy_login

Does that mean anything to you?

-Andrew

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Active Hack

Post by TrevorH » 2016/09/14 06:31:46

Those log messages and that pam entry look extremely suspicious to me. I see nothing that supplies either pam_hooks.so or any file with "techproxy" in its name. What is the output from file /usr/sec/bin/remove_techproxy_login ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Active Hack

Post by avij » 2016/09/14 10:23:13

While you're at it, please run rpm -qf /usr/sec/bin/remove_techproxy_login as well. I believe it says "file ... is not owned by any package", but I'd like to make sure.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Active Hack

Post by avij » 2016/09/14 10:41:00

Are you guys perhaps hosted at the same company? If the initial installation of the operating system was done by some company and not by yourself, perhaps they left some sort of a backdoor which they can use to log in to your server if needed.

Post Reply