Hello 
I have two servers with Centos 7, DirectAdmin and Tripwire installed on them. Recently I've got emails from tripwire with info that /root/.google_authenticator was modified. Before that I've updated software by "yum update" and by "./build update_versions" in DA custombuild. I have a SSHd with Google Authenticator enabled, but I login to ssh using private/public keys. Login by password + google authenthicator is for login outside my office, but I haven't used it recently.
Could someone have any clue why /root/.google_authenticator was modified? I don't have previous versions of those files to compare them. Should I worry about hackers reaching my servers? What should I check? I've looked into /var/log/secure and there were such logs:
I didn't find any accepted logins other than my and between my servers.
I have two servers with Centos 7, DirectAdmin and Tripwire installed on them. Recently I've got emails from tripwire with info that /root/.google_authenticator was modified. Before that I've updated software by "yum update" and by "./build update_versions" in DA custombuild. I have a SSHd with Google Authenticator enabled, but I login to ssh using private/public keys. Login by password + google authenthicator is for login outside my office, but I haven't used it recently.
Could someone have any clue why /root/.google_authenticator was modified? I don't have previous versions of those files to compare them. Should I worry about hackers reaching my servers? What should I check? I've looked into /var/log/secure and there were such logs:
Apr 29 14:28:28 ns3115177 sshd[26207]: Received disconnect from 72.143.15.82 port 50997:11: Bye Bye [preauth]
Apr 29 14:28:28 ns3115177 sshd[26207]: Disconnected from 72.143.15.82 port 50997 [preauth]
I didn't find any accepted logins other than my and between my servers.
