You are not logged in.

Pages: 1

#1 2024-10-26 19:07:20

jojo06
Member
Registered: 2023-11-04
Posts: 253

[SOLVED]Search of ssh connections

root@roses:/home/guns# journalctl --since "Oct 26 21:15:00" --until now | grep "rdp"
Oct 26 21:17:23 roses xrdp[139746]: stopping xrdp
Oct 26 21:17:23 roses xrdp[139746]: stopping process id 892
Oct 26 21:17:22 roses xrdp[892]: [INFO ] Received termination signal, stopping the server accept new connections thread
Oct 26 21:17:23 roses xrdp-sesman[139864]: sesman is not running (pid file not found - /var/run/xrdp/xrdp-sesman.pid)
Oct 26 21:17:22 roses systemd[1]: Stopping xrdp.service - xrdp daemon...
Oct 26 21:17:22 roses xrdp-sesman[855]: [INFO ] sesman_main_loop: sesman asked to terminate
Oct 26 21:17:22 roses systemd[1]: xrdp.service: Deactivated successfully.
Oct 26 21:17:22 roses systemd[1]: Stopped xrdp.service - xrdp daemon.
Oct 26 21:17:22 roses systemd[1]: Stopping xrdp-sesman.service - xrdp session manager...
Oct 26 21:17:22 roses systemd[1]: xrdp-sesman.service: Control process exited, code=exited, status=1/FAILURE
Oct 26 21:17:22 roses systemd[1]: xrdp-sesman.service: Failed with result 'exit-code'.
Oct 26 21:17:22 roses systemd[1]: Stopped xrdp-sesman.service - xrdp session manager.
Oct 26 21:17:48 roses systemd[1]: Starting xrdp-sesman.service - xrdp session manager...
Oct 26 21:17:48 roses xrdp-sesman[870]: [INFO ] starting xrdp-sesman with pid 870
Oct 26 21:17:48 roses systemd[1]: Started xrdp-sesman.service - xrdp session manager.
Oct 26 21:17:48 roses systemd[1]: Starting xrdp.service - xrdp daemon...
Oct 26 21:17:48 roses xrdp[901]: [INFO ] address [0.0.0.0] port [3389] mode 1
Oct 26 21:17:48 roses xrdp[901]: [INFO ] listening to port 3389 on 0.0.0.0
Oct 26 21:17:48 roses xrdp[901]: [INFO ] xrdp_listen_pp done
Oct 26 21:17:48 roses systemd[1]: xrdp.service: Can't open PID file /run/xrdp/xrdp.pid (yet?) after start: No such file or directory
Oct 26 21:17:49 roses systemd[1]: Started xrdp.service - xrdp daemon.
Oct 26 21:17:50 roses xrdp[907]: [INFO ] starting xrdp with pid 907
Oct 26 21:17:50 roses xrdp[907]: [INFO ] address [0.0.0.0] port [3389] mode 1
Oct 26 21:17:50 roses xrdp[907]: [INFO ] listening to port 3389 on 0.0.0.0
Oct 26 21:17:50 roses xrdp[907]: [INFO ] xrdp_listen_pp done
Oct 26 21:23:37 roses sudo[4449]:     guns : TTY=pts/0 ; PWD=/home/guns ; USER=root ; COMMAND=/usr/bin/systemctl status xrdp
Oct 26 21:23:41 roses sudo[4456]:     guns : TTY=pts/0 ; PWD=/home/guns ; USER=root ; COMMAND=/usr/bin/systemctl stop xrdp
Oct 26 21:23:41 roses systemd[1]: Stopping xrdp.service - xrdp daemon...
Oct 26 21:23:41 roses xrdp[4460]: stopping xrdp
Oct 26 21:23:41 roses xrdp[4460]: stopping process id 907
Oct 26 21:23:41 roses xrdp[907]: [INFO ] Received termination signal, stopping the server accept new connections thread
Oct 26 21:23:41 roses systemd[1]: xrdp.service: Deactivated successfully.
Oct 26 21:23:41 roses systemd[1]: Stopped xrdp.service - xrdp daemon.
Oct 26 21:23:41 roses systemd[1]: Stopping xrdp-sesman.service - xrdp session manager...
Oct 26 21:23:41 roses xrdp-sesman[4461]: sesman is not running (pid file not found - /var/run/xrdp/xrdp-sesman.pid)
Oct 26 21:23:41 roses systemd[1]: xrdp-sesman.service: Control process exited, code=exited, status=1/FAILURE
Oct 26 21:23:41 roses xrdp-sesman[870]: [INFO ] sesman_main_loop: sesman asked to terminate
Oct 26 21:23:41 roses systemd[1]: xrdp-sesman.service: Failed with result 'exit-code'.
Oct 26 21:23:41 roses systemd[1]: Stopped xrdp-sesman.service - xrdp session manager.
Oct 26 21:23:44 roses sudo[4465]:     guns : TTY=pts/0 ; PWD=/home/guns ; USER=root ; COMMAND=/usr/bin/systemctl disable xrdp
Oct 26 21:27:11 roses systemd[1]: Starting xrdp-sesman.service - xrdp session manager...
Oct 26 21:27:11 roses xrdp-sesman[907]: [INFO ] starting xrdp-sesman with pid 907
Oct 26 21:27:11 roses systemd[1]: Started xrdp-sesman.service - xrdp session manager.
Oct 26 21:27:11 roses systemd[1]: Starting xrdp.service - xrdp daemon...
Oct 26 21:27:12 roses xrdp[928]: [INFO ] address [0.0.0.0] port [3389] mode 1
Oct 26 21:27:12 roses xrdp[928]: [INFO ] listening to port 3389 on 0.0.0.0
Oct 26 21:27:12 roses xrdp[928]: [INFO ] xrdp_listen_pp done
Oct 26 21:27:12 roses systemd[1]: xrdp.service: Can't open PID file /run/xrdp/xrdp.pid (yet?) after start: No such file or directory
Oct 26 21:27:13 roses systemd[1]: Started xrdp.service - xrdp daemon.
Oct 26 21:27:14 roses xrdp[933]: [INFO ] starting xrdp with pid 933
Oct 26 21:27:14 roses xrdp[933]: [INFO ] address [0.0.0.0] port [3389] mode 1
Oct 26 21:27:14 roses xrdp[933]: [INFO ] listening to port 3389 on 0.0.0.0
Oct 26 21:27:14 roses xrdp[933]: [INFO ] xrdp_listen_pp done
Oct 26 21:35:57 roses sudo[7692]:     guns : TTY=pts/1 ; PWD=/home/guns ; USER=root ; COMMAND=/usr/bin/systemctl status xrdp
Oct 26 21:36:00 roses sudo[7698]:     guns : TTY=pts/1 ; PWD=/home/guns ; USER=root ; COMMAND=/usr/bin/systemctl stop xrdp
Oct 26 21:36:00 roses systemd[1]: Stopping xrdp.service - xrdp daemon...
Oct 26 21:36:00 roses xrdp[7702]: stopping xrdp
Oct 26 21:36:00 roses xrdp[7702]: stopping process id 933
Oct 26 21:36:00 roses xrdp[933]: [INFO ] Received termination signal, stopping the server accept new connections thread
Oct 26 21:36:00 roses systemd[1]: xrdp.service: Deactivated successfully.
Oct 26 21:36:00 roses systemd[1]: Stopped xrdp.service - xrdp daemon.
Oct 26 21:36:00 roses systemd[1]: Stopping xrdp-sesman.service - xrdp session manager...
Oct 26 21:36:00 roses xrdp-sesman[7703]: sesman is not running (pid file not found - /var/run/xrdp/xrdp-sesman.pid)
Oct 26 21:36:00 roses systemd[1]: xrdp-sesman.service: Control process exited, code=exited, status=1/FAILURE
Oct 26 21:36:00 roses xrdp-sesman[907]: [INFO ] sesman_main_loop: sesman asked to terminate
Oct 26 21:36:00 roses systemd[1]: xrdp-sesman.service: Failed with result 'exit-code'.
Oct 26 21:36:00 roses systemd[1]: Stopped xrdp-sesman.service - xrdp session manager.
Oct 26 21:36:22 roses sudo[7824]:     guns : TTY=pts/1 ; PWD=/home/guns ; USER=root ; COMMAND=/usr/bin/systemctl disable xrdp
Oct 26 21:43:09 roses systemd[1]: Starting xrdp-sesman.service - xrdp session manager...
Oct 26 21:43:09 roses xrdp-sesman[905]: [INFO ] starting xrdp-sesman with pid 905
Oct 26 21:43:09 roses systemd[1]: Started xrdp-sesman.service - xrdp session manager.
Oct 26 21:43:09 roses systemd[1]: Starting xrdp.service - xrdp daemon...
Oct 26 21:43:09 roses xrdp[915]: [INFO ] address [0.0.0.0] port [3389] mode 1
Oct 26 21:43:09 roses xrdp[915]: [INFO ] listening to port 3389 on 0.0.0.0
Oct 26 21:43:09 roses xrdp[915]: [INFO ] xrdp_listen_pp done
Oct 26 21:43:09 roses systemd[1]: xrdp.service: Can't open PID file /run/xrdp/xrdp.pid (yet?) after start: No such file or directory
Oct 26 21:43:10 roses systemd[1]: Started xrdp.service - xrdp daemon.
Oct 26 21:43:11 roses xrdp[916]: [INFO ] starting xrdp with pid 916
Oct 26 21:43:11 roses xrdp[916]: [INFO ] address [0.0.0.0] port [3389] mode 1
Oct 26 21:43:11 roses xrdp[916]: [INFO ] listening to port 3389 on 0.0.0.0
Oct 26 21:43:11 roses xrdp[916]: [INFO ] xrdp_listen_pp done
root@roses:/home/guns# systemctl stop xrdp
root@roses:/home/guns# systemctl stop xrdp.service
root@roses:/home/guns# systemctl disable xrdp.service
Synchronizing state of xrdp.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable xrdp
root@roses:/home/guns# systemctl disable xrdp
Synchronizing state of xrdp.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable xrdp

Sorry for the lame topic but its urgent. Somebody tried to access my server(VDS)/website :: domain/.env << and in that file i have pw for ssh. And so rdp yeah.

I immediately, pulled of the ethernet cable, disabled services and rebooted.
After reboot, i installed ufw (made availbe internet for a while) and reset the rules:

Commands i executed:

sudo ufw default deny incoming
sudo ufw reload

sudo systemctl stop apache2
sudo systemctl stop nginx
sudo systemctl stop postgresql
also disabled

sudo ufw reset
sudo ufw enable

 1131  2024-10-26 21:39:52 sudo systemctl stop cups
 1132  2024-10-26 21:39:55 sudo systemctl disable cups
 1133  2024-10-26 21:40:03 sudo systemctl stop postfix
 1134  2024-10-26 21:40:06 sudo systemctl disable postfix
 1135  2024-10-26 21:40:11 sudo systemctl stop mariadb
 1136  2024-10-26 21:40:15 sudo systemctl disable mariadb
 1137  2024-10-26 21:40:19 sudo systemctl stop mongod
 1138  2024-10-26 21:40:23 sudo systemctl disable mongod
 1139  2024-10-26 21:40:27 sudo systemctl stop avahi-daemon
 1140  2024-10-26 21:40:33 sudo systemctl disable avahi-daemon
 1141  2024-10-26 21:42:38 sudo systemctl stop avahi-daemon.socket
 1142  2024-10-26 21:42:41 sudo systemctl disable avahi-daemon.socket
 1143  2024-10-26 21:42:44 sudo systemctl mask avahi-daemon
 1144  2024-10-26 21:42:49 sudo systemctl mask avahi-daemon.socket
 1145  2024-10-26 21:42:52 sudo systemctl stop postfix
 1146  2024-10-26 21:42:54 sudo systemctl disable postfix

 1127  2024-10-26 21:38:00 sudo systemctl stop vncserver@1.service
 1128  2024-10-26 21:38:04 sudo systemctl disable vncserver@1.service

 1117  2024-10-26 21:35:56 sudo systemctl status xrdp
 1118  2024-10-26 21:36:00 sudo systemctl stop xrdp
 1119  2024-10-26 21:36:08 sudo systemctl stop ssh
 1120  2024-10-26 21:36:11 sudo systemctl status ssh
 1121  2024-10-26 21:36:15 sudo systemctl disable ssh
 1122  2024-10-26 21:36:22 sudo systemctl disable xrdp
 1123  2024-10-26 21:36:35 sudo systemctl status postgresql

It was like this:

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 443                        ALLOW IN    Anywhere                  
[ 3] 80                         ALLOW IN    Anywhere                  
[ 4] 22                         ALLOW IN    Anywhere                  
[ 5] 80/tcp                     ALLOW IN    Anywhere                  
[ 6] 443/tcp                    ALLOW IN    Anywhere                  
[ 7] 8443/tcp                   ALLOW IN    Anywhere                  
[ 8] 5432                       ALLOW IN    185.153.220.28            
[ 9] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[10] 443 (v6)                   ALLOW IN    Anywhere (v6)             
[11] 80 (v6)                    ALLOW IN    Anywhere (v6)             
[12] 22 (v6)                    ALLOW IN    Anywhere (v6)             
[13] 80/tcp (v6)                ALLOW IN    Anywhere (v6)             
[14] 443/tcp (v6)               ALLOW IN    Anywhere (v6)             
[15] 8443/tcp (v6)              ALLOW IN    Anywhere (v6)

now:

it still says `ufw unknown`


Well: the first output from xrpd is coming nowhere. Im not using xrpd, i tried and configured a few days ago. Suddenly my second monitor and my first monitor gone BLACK! And when i reach tty and come back to tty1 thats what i saw in tty screen. Lets say its rdp misconf, but it was a few days ago. I changed DE and such but its all made me paranoid.

Last edited by jojo06 (2024-10-26 21:13:46)

Offline

#2 2024-10-26 19:10:36

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,330
Website

Re: [SOLVED]Search of ssh connections

I'm not sure what were supposed to see in that excerpt of a journal, but are you really saying you posted your servers ssh credentials publicly?  If that's the case, who cares what's in the journal, assume the entire system has been compromised and start from scratch ... and don't post your passwords to your server in public let alone in the content it serves!

Last edited by Trilby (2024-10-26 19:11:04)

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#3 2024-10-26 19:21:20

jojo06
Member
Registered: 2023-11-04
Posts: 253

Re: [SOLVED]Search of ssh connections

Yeah it was a big mistake, i did not thing that. And hosting providers default config settings shouldnt allow that by default. Its not route or such, they add the rule tho. Really strange. Its a dev. project yet and it has been 1 week. Nobody nows tho. Its same folder for maintenance it was sync with git repo. 

<FilesMatch "\.(env|htaccess)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

How come its accessable tho ? Everbody uses .env for API its secure and professional, i have a rules for it too.

All passwords changed, including pc and server. How can i look is that RDP connection came from ? And also last connected for server ? Its Alma Linux.

Edit: After launched a lot of commands; it appears nothing.

Last edited by jojo06 (2024-10-26 21:14:25)

Offline

Pages: 1

Board footer

Powered by FluxBB