VMware Cloud Community
chianta
Contributor
Contributor
Jump to solution

Strange access on ESXi

Hello guys,

Last friday night I have seen strange access on my ESXi server. On events I have found that someone logged on it with user DCUI and change a lot of rules on firewall. In attachment there is a file with log of that night. Could you help me?

Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
Jitu211003
Hot Shot
Hot Shot
Jump to solution

Hi,

As per logs, it shows that someone logged in ESXi host via putty with root user then hit the command dcui.

Then he or she restarted the host refer the below two line.

User dcui@127.0.0.1 logged in as VMware-client/5.1.0info13/05/2017 05:15:02dcui
User root@127.0.0.1 logged in asinfo13/05/2017 05:13:11

root

Adding/enabling firewall rules logs are generated with user name when any specific user make any changes or without user name when esxi host reboots and come up online.

It refresh the firewall rules itself during the boot. So no worry about the logs. Just find out who rebooted and what was the reason.

Thanks,

Hope, it sorted out your query. Do not forget to mark it.

View solution in original post

Reply
0 Kudos
4 Replies
Sreejesh_D
Virtuoso
Virtuoso
Jump to solution

hi,

the best place to look at for authentication events are in auth.log.

/var/log/auth.log

Reply
0 Kudos
Jitu211003
Hot Shot
Hot Shot
Jump to solution

Hi,

As per logs, it shows that someone logged in ESXi host via putty with root user then hit the command dcui.

Then he or she restarted the host refer the below two line.

User dcui@127.0.0.1 logged in as VMware-client/5.1.0info13/05/2017 05:15:02dcui
User root@127.0.0.1 logged in asinfo13/05/2017 05:13:11

root

Adding/enabling firewall rules logs are generated with user name when any specific user make any changes or without user name when esxi host reboots and come up online.

It refresh the firewall rules itself during the boot. So no worry about the logs. Just find out who rebooted and what was the reason.

Thanks,

Hope, it sorted out your query. Do not forget to mark it.

Reply
0 Kudos
chianta
Contributor
Contributor
Jump to solution

Thank you so much!

I have tried to find old logs but they have been deleted! Nobody have access on server, what do you think I have to do?

Thanks

Reply
0 Kudos
Jitu211003
Hot Shot
Hot Shot
Jump to solution

From the date and time stamp, you can find out who would be there to login. It is sure, someone logged in using root and taken dcui and rebooted the host.

Reply
0 Kudos