Scribd
Upload
47 views9 pages

System Log Analysis and Events Summary

The log files show repeated failed login attempts to the system from the same IP address over a period of several hours, indicating potential unauthorized access attempts. Numerous connection closed messages are logged by SSH from the same remote address during the preauthentication phase, before valid credentials were supplied. The logs also contain information about system services starting and stopping during this period.

Uploaded by

Evil Hunter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
47 views9 pages

System Log Analysis and Events Summary

The log files show repeated failed login attempts to the system from the same IP address over a period of several hours, indicating potential unauthorized access attempts. Numerous connection closed messages are logged by SSH from the same remote address during the preauthentication phase, before valid credentials were supplied. The logs also contain information about system services starting and stopping during this period.

Uploaded by

Evil Hunter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

SystemLog

09/20/22 [Link] PM bppa xrdp[31988] [INFO ] VNC: Clipboard (if available) is provided by
chansrv facility

09/20/22 [Link] PM bppa xrdp[31988] [INFO ] connected ok

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Socket 12: AF_UNIX connection received

09/20/22 [Link] PM bppa xrdp[31988] [INFO ] Layout from OldLayout (geom=1364x768


#screens=1) : 1804289383:(1364x768+0+0)

09/20/22 [Link] PM bppa xrdp-sesman ComparingUpdateTracker: 0 pixels in / 0 pixels out

09/20/22 [Link] PM bppa xrdp-sesman ComparingUpdateTracker: (1:-nan ratio)

09/20/22 [Link] PM bppa xrdp[31988] [INFO ] Layout from NewLayout (geom=1360x768


#screens=1) : 1804289383:(1360x768+0+0)

09/20/22 [Link] PM bppa xrdp-sesman VNCSConnST: FramebufferUpdateRequest 1364x768 at


0,0 exceeds framebuffer

09/20/22 [Link] PM bppa xrdp-sesman 1360x768

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] sound_process_training: round trip time


100

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote printer 'PRN4' (not
supported)

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote printer 'PRN8' (not
supported)

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote printer 'PRN7' (not
supported)

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote printer 'PRN6' (not
supported)

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote printer 'PRN5' (not
supported)

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote printer 'PRN3' (not
supported)

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote drive 'D:'

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote drive 'C:'

09/20/22 [Link] PM bppa xrdp-chansrv[118917] [INFO ] Detected remote smartcard 'SCARD'

09/20/22 [Link] PM bppa dbus[1040] [system] Activating service


name='[Link]' (using servicehelper)
09/20/22 [Link] PM bppa dbus[1040] [system] Successfully activated service
'[Link]'

09/20/22 [Link] PM bppa setroubleshoot SELinux is preventing /usr/sbin/smbd from read access
on the sock_file [Link]. For complete SELinux messages run: sealert -l 88ca1f9f-47fd-4e33-aa3d-
7013797c6342

09/20/22 [Link] PM bppa python SELinux is preventing /usr/sbin/smbd from read access on the
sock_file [Link].#012#012***** Plugin catchall (100. confidence) suggests
**************************#012#012If you believe that smbd should be allowed read access on the
[Link] sock_file by default.#012Then you should report this as a bug.#012You can generate a local
policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c
'lpqd' --raw | audit2allow -M my-lpqd#012# semodule -i [Link]#012

09/20/22 [Link] PM bppa journal clutter_actor_iter_next: assertion 'ri->age == ri->root->priv-


>age' failed

09/20/22 [Link] PM bppa journal Calling [Link] failed:


[Link]:[Link]: Method "Inhibit" with signature "susu" on
interface "[Link]" doesn't exist

09/20/22 [Link] PM bppa dbus[1040] [system] Activating via systemd: service


name='[Link]' unit='[Link]'

09/20/22 [Link] PM bppa systemd Starting Fingerprint Authentication Daemon...

09/20/22 [Link] PM bppa dbus[1040] [system] Successfully activated service


'[Link]'

09/20/22 [Link] PM bppa systemd Started Fingerprint Authentication Daemon.

09/20/22 [Link] PM bppa dbus[1040] [system] Activating via systemd: service


name='[Link].hostname1' unit='[Link]'

09/20/22 [Link] PM bppa NetworkManager[1189] <info> [1663663623.3850] agent-


manager: req[0x55cb9dc3ed50, :1.50/[Link]/1000]: agent registered

09/20/22 [Link] PM bppa systemd Starting Hostname Service...

09/20/22 [Link] PM bppa dbus[1040] [system] Successfully activated service


'[Link].hostname1'

09/20/22 [Link] PM bppa systemd Started Hostname Service.

09/20/22 [Link] PM bppa systemd Started Session 2131 of user root.

09/20/22 [Link] PM bppa systemd-logind Removed session 2129.

09/20/22 [Link] PM bppa journal clutter_actor_set_size: assertion 'CLUTTER_IS_ACTOR (self)'


failed

09/20/22 [Link] PM bppa journal clutter_actor_show: assertion 'CLUTTER_IS_ACTOR (self)' failed


KernelLog
09/13/22 [Link] AM tg3 0000 8:00.0: irq 74 for MSI/MSI-X

09/13/22 [Link] AM tg3 0000 8:00.0: irq 75 for MSI/MSI-X

09/13/22 [Link] AM IPv6 ADDRCONF(NETDEV_UP): em3: link is not ready

09/13/22 [Link] AM IPv6 ADDRCONF(NETDEV_UP): em4: link is not ready

09/13/22 [Link] AM tg3 0000 8:00.1: irq 76 for MSI/MSI-X

09/13/22 [Link] AM tg3 0000 8:00.1: irq 77 for MSI/MSI-X

09/13/22 [Link] AM tg3 0000 8:00.1: irq 78 for MSI/MSI-X

09/13/22 [Link] AM tg3 0000 8:00.1: irq 79 for MSI/MSI-X

09/13/22 [Link] AM tg3 0000 8:00.1: irq 80 for MSI/MSI-X

09/13/22 [Link] AM IPv6 ADDRCONF(NETDEV_UP): em4: link is not ready

09/13/22 [Link] AM tg3 0000 7:00.0 em1: Link is up at 100 Mbps, full duplex

09/13/22 [Link] AM tg3 0000 7:00.0 em1: Flow control is off for TX and off for RX

09/13/22 [Link] AM tg3 0000 7:00.0 em1: EEE is disabled

09/13/22 [Link] AM IPv6 ADDRCONF(NETDEV_CHANGE): em1: link becomes ready

09/13/22 [Link] AM IPv6 ADDRCONF(NETDEV_UP): em2: link is not ready

09/13/22 [Link] AM IPv6 ADDRCONF(NETDEV_UP): em2: link is not ready

09/13/22 [Link] AM L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-
3646 and [Link] for details.

09/13/22 [Link] AM tun Universal TUN/TAP device driver, 1.6

09/13/22 [Link] AM tun (C) 1999-2004 Max Krasnyansky <maxk@[Link]>

09/13/22 [Link] AM virbr0 port 1(virbr0-nic) entered blocking state

09/13/22 [Link] AM virbr0 port 1(virbr0-nic) entered disabled state

09/13/22 [Link] AM device virbr0-nic entered promiscuous mode

09/13/22 [Link] AM virbr0 port 1(virbr0-nic) entered blocking state

09/13/22 [Link] AM virbr0 port 1(virbr0-nic) entered listening state

09/13/22 [Link] AM IPv6 ADDRCONF(NETDEV_UP): virbr0: link is not ready

09/13/22 [Link] AM virbr0 port 1(virbr0-nic) entered disabled state

09/13/22 [Link] AM megaraid_sas 0000 5:00.0: invalid short VPD tag 00 at offset 1
09/14/22 [Link] AM TCP lp registered

09/15/22 [Link] PM usb 1-10 new low-speed USB device number 5 using xhci_hcd

09/15/22 [Link] PM usb 1-10 New USB device found, idVendor=17ef, idProduct=602d,
bcdDevice= 1.30

09/15/22 [Link] PM usb 1-10 New USB device strings: Mfr=1, Product=2, SerialNumber=0

09/15/22 [Link] PM usb 1-10 Product: Lenovo Black Silk USB Keyboard

09/15/22 [Link] PM usb 1-10 Manufacturer: Lenovo

09/15/22 [Link] PM input Lenovo Lenovo Black Silk USB Keyboard as


/devices/pci0000:00/[Link].0/usb1/1-10/1-10:1.0/input/input2

09/15/22 [Link] PM hid-generic 0003 7EF:602D.0001: input,hidraw0: USB HID v1.11 Keyboard
[Lenovo Lenovo Black Silk USB Keyboard] on usb-[Link].0-10/input0

09/15/22 [Link] PM input Lenovo Lenovo Black Silk USB Keyboard as


/devices/pci0000:00/[Link].0/usb1/1-10/1-10:1.1/input/input3

09/15/22 [Link] PM hid-generic 0003 7EF:602D.0002: input,hidraw1: USB HID v1.11 Device
[Lenovo Lenovo Black Silk USB Keyboard] on usb-[Link].0-10/input1

09/17/22 [Link] AM perf interrupt took too long (2521 > 2500), lowering
kernel.perf_event_max_sample_rate to 79000
AuthenticationLog
09/20/22 [Link] PM bppa sshd[29233] Connection closed by [Link] port
50140 [preauth]
09/20/22 [Link] PM bppa sshd[29297] Connection closed by [Link] port
50150 [preauth]
09/20/22 [Link] PM bppa sshd[29432] Connection closed by [Link] port
50158 [preauth]
09/20/22 [Link] PM bppa sshd[29492] Connection closed by [Link] port
50162 [preauth]
09/20/22 [Link] PM bppa sshd[29656] Connection closed by [Link] port
50168 [preauth]
09/20/22 [Link] PM bppa sshd[29725] Connection closed by [Link] port
50198 [preauth]
09/20/22 [Link] PM bppa sshd[29834] Connection closed by [Link] port
50210 [preauth]
09/20/22 [Link] PM bppa sshd[29912] Connection closed by [Link] port
50222 [preauth]
09/20/22 [Link] PM bppa sshd[30038] Connection closed by [Link] port
50236 [preauth]
09/20/22 [Link] PM bppa sshd[30112] Connection closed by [Link] port
50246 [preauth]
09/20/22 [Link] PM bppa sshd[30232] Connection closed by [Link] port
50258 [preauth]
09/20/22 [Link] PM bppa sshd[30296] Connection closed by [Link] port
50264 [preauth]
09/20/22 [Link] PM bppa sshd[30447] Connection closed by [Link] port
50302 [preauth]
09/20/22 [Link] PM bppa sshd[30510] Connection closed by [Link] port
50314 [preauth]
09/20/22 [Link] PM bppa sshd[30640] Connection closed by [Link] port
50332 [preauth]
09/20/22 [Link] PM bppa sshd[30744] Connection closed by [Link] port
50374 [preauth]
09/20/22 [Link] PM bppa sshd[30917] Connection closed by [Link] port
50380 [preauth]
09/20/22 [Link] PM bppa sshd[31000] Connection closed by [Link] port
50386 [preauth]
09/20/22 [Link] PM bppa sshd[31100] Connection closed by [Link] port
50394 [preauth]
09/20/22 [Link] PM bppa sshd[31181] Connection closed by [Link] port
50426 [preauth]
09/20/22 [Link] PM bppa sshd[31296] Connection closed by [Link] port
50454 [preauth]
09/20/22 [Link] PM bppa sshd[31357] Connection closed by [Link] port
50462 [preauth]
09/20/22 [Link] PM bppa sshd[31487] Connection closed by [Link] port
50470 [preauth]
09/20/22 [Link] PM bppa sshd[31513] reverse mapping checking getaddrinfo for
[Link].[Link] [[Link]] failed - POSSIBLE BREAK-IN ATTEMPT!
09/20/22 [Link] PM bppa sshd[31513] Accepted password for root from
[Link] port 1037 ssh2
09/20/22 [Link] PM bppa sshd[31513] pam_unix(sshd:session): session opened for
user root by (uid=0)
09/20/22 [Link] PM bppa sshd[31665] Connection closed by [Link] port
50476 [preauth]
09/20/22 [Link] PM bppa gdm-password] gkr-pam: unlocked login keyring
09/20/22 [Link] PM bppa polkitd[1010] Operator of unix-session:1 successfully
authenticated as unix-user:bppa_user to gain TEMPORARY authorization for action
[Link] for unix-process:3730:5107 [/usr/bin/gnome-shell] (owned by
unix-user:bppa_user)
09/20/22 [Link] PM bppa pkexec pam_unix(polkit-1:session): session opened for
user root by (uid=1000)
09/20/22 [Link] PM bppa pkexec[31786]bppa_user: Executing command
[USER=root] [TTY=unknown] [CWD=/home/bppa_user] [COMMAND=/usr/bin/logview]
09/20/22 [Link] PM bppa sshd[32072] Connection closed by [Link] port
50492 [preauth]
09/20/22 [Link] PM bppa gdm-password] gkr-pam: unlocked login keyring
09/20/22 [Link] PM bppa sshd[32250] Connection closed by [Link] port
50502 [preauth]
09/20/22 [Link] PM bppa sshd[31513] pam_systemd(sshd:session): Failed to
release session: Interrupted system call
09/20/22 [Link] PM bppa sshd[31513] pam_unix(sshd:session): session closed for
user root
09/20/22 [Link] PM bppa sshd[32384] Connection closed by [Link] port
50514 [preauth]
Foto

You might also like