My Logfiles have inconsistent times and dates!

ille.pugil42 · 03-14-2007, 11:54 AM

So, at first I thought the box was comprimised, but nothing has been changed. Looking at the logs I found the following:

Code:

Mar 13 19:02:46 mail2 sshd[1942]: Accepted publickey for root from XXX.XXX.XXX.XXX port 48404 ssh2
Mar 13 17:09:36 mail2 sshd[3519]: Accepted password for root from XXX.XXX.XXX.XXX port 61894 ssh2
Mar 14 00:09:36 mail2 sshd[3520]: Accepted password for root from XXX.XXX.XXX.XXX port 61894 ssh2
Mar 14 00:10:45 mail2 sshd[3554]: Accepted password for root from XXX.XXX.XXX.XXX port 54004 ssh2
Mar 13 17:10:45 mail2 sshd[3553]: Accepted password for root from XXX.XXX.XXX.XXX port 54004 ssh2

Having that many SSH's isn't abnormal, and the IP's are all internal and completely valid, but why does it go back and forth from Mar 13 to 14 and back? Its only on this system. I checked the time, date and DST settings, they're all nominal. The systems that we're logging in from remotely are also ok.

As I said prior, this caused me to think we'd been compromised, but I can't find any changes, rootkits, extra users, etc. Any ideas?

b0uncer · 03-14-2007, 12:00 PM

For a start I would make the wise thing: configure the ssh to prevent any root login attempts. There simply is no use or sane reason to accept root login trough SSH; one can use a regular account to log in and then use su or sudo to do the needed tasks, but it's definitely not wise to let root log in directly.

Can you repeat the date inconsistensy, or has it happened before, or is it just this one time?

ille.pugil42 · 03-14-2007, 12:10 PM

Only since yesterday, so I'm thinking at this point its some sort of anomoly.