Is it possible to run partedUtil, fdisk or dd commands via the RabbitMQ Api ?
I am looking into a case of suspected sabotage and need to know whether this API
https://www.rabbitmq.com/management.html
allows to use commands like partedUtil, fdisk or dd
Thanks
Cant answer whether its possible or not.. I'd assume you can make it login via root or another user and issue those commands..
Is the host still operational that we can check the auth log to see if it logged in at a certain time?
SSH in - > cat /var/log/auth.log
I am checking that right now.
The damage was done in about 5 seconds so I expect that only commands like partedUtil or dd can do such a damage.
See anything in the auth logs?
I do not understand this:
2014-11-27T20:14:30Z sshd[11179896]: Received disconnect from w.x.y.z: 11:
2014-11-27T20:14:30Z sshd[11179896]: pam_unix(system-auth-generic:session): session closed for user root
2014-11-27T20:14:40Z sshd[11179951]: Connection from w.x.y.z port 43291
2014-11-27T20:14:41Z sshd[11179951]: Address w.x.y.z maps to knownhost.somewhere.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
2014-11-27T20:14:41Z sshd[11179951]: Failed password for root from w.x.y.z port 43291 ssh2
2014-11-27T20:14:41Z sshd[11179954]: pam_per_user: create_subrequest_handle(): doing map lookup for user "root"
2014-11-27T20:14:41Z sshd[11179954]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="root", service="system-auth-generic")
2014-11-27T20:14:41Z sshd[11179951]: Accepted keyboard-interactive/pam for root from w.x.y.z port 43291 ssh2
2014-11-27T20:14:41Z sshd[11179951]: pam_per_user: create_subrequest_handle(): doing map lookup for user "root"
2014-11-27T20:14:41Z sshd[11179951]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="root", service="system-auth-generic")
2014-11-27T20:14:41Z sshd[11179951]: pam_unix(system-auth-generic:session): session opened for user root by (uid=0)
2014-11-27T20:14:41Z sshd[11179951]: User 'root' running command 'vim-cmd vmsvc/get.summary 58'
2014-11-27T20:14:43Z sshd[11179951]: User 'root' running command 'vim-cmd vmsvc/get.guest 58'
2014-11-27T20:14:44Z sshd[11179951]: Received disconnect from w.x.y.z: 11:
2014-11-27T20:14:44Z sshd[11179951]: pam_unix(system-auth-generic:session): session closed for user root
2014-11-27T20:15:26Z sshd[11180127]: Connection from w.x.y.z port 43787
2014-11-27T20:15:27Z sshd[11180127]: Address w.x.y.z maps toknownhost.somewhere.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
2014-11-27T20:15:27Z sshd[11180127]: Failed password for root from w.x.y.z port 43787 ssh2
2014-11-27T20:15:27Z sshd[11180130]: pam_per_user: create_subrequest_handle(): doing map lookup for user "root"
2014-11-27T20:15:27Z sshd[11180130]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="root", service="system-auth-generic")
2014-11-27T20:15:27Z sshd[11180127]: Accepted keyboard-interactive/pam for root from w.x.y.z port 43787 ssh2
2014-11-27T20:15:27Z sshd[11180127]: pam_per_user: create_subrequest_handle(): doing map lookup for user "root"
2014-11-27T20:15:27Z sshd[11180127]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="root", service="system-auth-generic")
2014-11-27T20:15:27Z sshd[11180127]: pam_unix(system-auth-generic:session): session opened for user root by (uid=0)
2014-11-27T20:15:28Z sshd[11180127]: User 'root' running command 'vim-cmd vmsvc/get.summary 58'
2014-11-27T20:15:29Z sshd[11180127]: User 'root' running command 'vim-cmd vmsvc/get.guest 58'
2014-11-27T20:15:31Z sshd[11180127]: Received disconnect from w.x.y.z: 11:
2014-11-27T20:15:31Z sshd[11180127]: pam_unix(system-auth-generic:session): session closed for user root
2014-11-27T20:20:20Z sshd[5512189]: Connection from otherhost port 47075
2014-11-27T20:20:21Z sshd[5512189]: Received disconnect from otherhost: 11: Bye Bye
2014-11-27T20:30:29Z sshd[11182883]: Connection from w.x.y.z port 54650
2014-11-27T20:30:30Z sshd[11182883]: Address w.x.y.z maps to knownhost.somewhere.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
2014-11-27T20:30:30Z sshd[11182883]: Failed password for root from w.x.y.z port 54650 ssh2
2014-11-27T20:30:30Z sshd[11182886]: pam_per_user: create_subrequest_handle(): doing map lookup for user "root"
2014-11-27T20:30:30Z sshd[11182886]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="root", service="system-auth-generic")
2014-11-27T20:30:30Z sshd[11182883]: Accepted keyboard-interactive/pam for root from w.x.y.z port 54650 ssh2
2014-11-27T20:30:30Z sshd[11182883]: pam_per_user: create_subrequest_handle(): doing map lookup for user "root"
2014-11-27T20:30:30Z sshd[11182883]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="root", service="system-auth-generic")
2014-11-27T20:30:30Z sshd[11182883]: pam_unix(system-auth-generic:session): session opened for user root by (uid=0)
2014-11-27T20:30:30Z sshd[11182883]: User 'root' running command 'vim-cmd vmsvc/power.suspend 252'
2014-11-27T20:33:56Z sshd[11182883]: Received disconnect from w.x.y.z: 11:
failed logins follow successful logins in such a fast sequence that I can not make head or tail of it
That looks strange to me as well.. What does the shell log say? cat /var/log/shell.log
it should list the last commands that were issued.
I looked for the shell.log first of all - I even looked for deleted shell.logs but nothing that would help could be found.
Im assuming no hostd / vpxa logs as well?