[Solved] [Possible] Security breach due to my idiocy

[zoomzoom]

I was going to mention this also. What do you mean all your logs are empty? Are you on an older version of freenas? Correct version save the logs to the pool.

I didn't know where FreeNAS logged to, and when I went to /var there were no logs residing in the root of /var. The only two things I saw under /var that had "log" in them was log@ and log.xxxxx (date). I shutdown the server last night and will be able to try what @Robert Trevellyan said in about 10 minutes when it finishes booting.

 

[zoomzoom]

Does changing the password via passwd actually work? Now that you have things sorted a little bit you should ssh in and change password via passwd then try using that to login to the GUI.

That's a good question lol I didn't even think about that and just naturally assumed it would. If it isn't able to be changed via passwd then that eliminates that problem =]

EDIT

• Just verified, passwd command in SSH does not change the passwd. Thanks for catching that, as I would never have even thought to look at that :)

 

[zoomzoom]

Looks like you're in good hands here, but for future reference ...

No, but I sent you to the wrong place. Take a look at the contents of /var/log. Mine looks like this:

Code:

[root@poweredge] ~# cd /var/log
[root@poweredge] /var/log# ls
./                           dmesg.today                  nginx-access.log
../                          dmesg.yesterday              nginx-access.log.0.bz2
3ware_raid_alarms.today      lpd-errs                     nginx-error.log
3ware_raid_alarms.yesterday  maillog                      pbid.log
auth.log                     maillog.0.bz2                pf.today
auth.log.0.bz2               maillog.1.bz2                ppp.log
auth.log.1.bz2               maillog.2.bz2                proftpd/
auth.log.2.bz2               maillog.3.bz2                samba4/
auth.log.3.bz2               maillog.4.bz2                security
auth.log.4.bz2               maillog.5.bz2                sssd/
auth.log.5.bz2               maillog.6.bz2                telemetry.json.bz2
auth.log.6.bz2               messages                     ups.log
cron                         messages.0.bz2               userlog
cron.0.bz2                   messages.1.bz2               utx.lastlogin
cron.1.bz2                   messages.2.bz2               utx.log
cron.2.bz2                   messages.3.bz2               wtmp
debug.log                    messages.4.bz2               xferlog
debug.log.0.bz2              mount.today
debug.log.1.bz2              mount.yesterday

You can see the current auth.log and 7 previous versions.

Thanks! =] After checking the auth.log, no logins have occurred from anywhere other than the four IPs I allow to SSH in, so that rules out an intruder.

Do you by chance have any recommendations on how I can go about troubleshooting and tracking down how/when the root password was changed?

 

[zoomzoom]

I agree.

Just think about this for a minute. If you managed to hack into a box wouldn't you want to keep the password so you could access it later without being detected? Changing the password would immediately alert a user that something was wrong causing them to panic and do something like start a thread on a forum saying their box has been hacked.

I agree; do you by chance have any recommendations on where to start looking to track down how/when the root password was changed?

 

[Jailer]

Nope

 

[anodos]

I agree; do you by chance have any recommendations on where to start looking to track down how/when the root password was changed?

Asking coworkers?

 

[zoomzoom]

Asking coworkers?

It's a home server =]

Love your occupation btw =]

 

[solarisguy]

log@ in /var/ meant that log is a link.

If you do cd /var followed by ls -l you would see where the link goes to.

If you did cd /var/log , then you would not even notice that /var/log resides somewhere else...

 

[zoomzoom]

log@ in /var/ meant that log is a link.

If you do cd /var followed by ls -l you would see where the link goes to.

If you did cd /var/log , then you would not even notice that /var/log resides somewhere else...

I wasn't aware of that, thanks I'm fairly new to *nix based OSes, so thats extremely helpful to know =]