Disconnect it from the internet, but don't wipe it until you are sure what happened. I wouldn't even power it down until you have checked it for running daemons etc. Check http://www.cert.org/tech_tips/root_compromise.html for steps to take to find out if you were indeed hacked. Those wtmp entries are indeed strange. Are you logging failed attempts as well (lastb)? If so do you see strangeness there as well? As for the connect from root@ etc: those are not local users, those are the remote users connecting to your system. Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp port. As you obviously don't know this machine, this may have been an attempt to gain illegal access, but from the log entries you provide we can't see if it was successful. Once you've found out exactly what happened, THEN wipe the machine. If you re-install without knowing how (and if) they got in, chances are you will leave the same hole open again and they will just get back on after you've reinstalled. HTH Stefan
Yup...
On 11-Oct-01 Praise wrote:
When I run the "last" command I find out this output:
dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged in fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10)
Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true.
Hmm... Doesn't look too good. First of all, is this a home system or some kind of productively used host? Does it reside in a LAN, and if so, how's the LAN connected to the internet? What types of OSs do you run on your boxes (Win, Linux...)?
The "pB" and "5" lastlog entries may point to a partly unsuccessful attempt to phog (hide) the (would-be-)intruder's traces.
The /var/log/messages is regular, except for:
Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129)
rg is not an user in my system! Just checked
Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203)
and root cant connect to ftp when I try it. What does these entries could mean?
Uhm... "rg" brakes weak security of your box...rg uploads root kits and logs in...rg (locally) overflows some vulnerable demons, or setuid apps, or rg installed a sniffer...rg got root pass...rg installs root kit...rg installs bots...etc...
That's *not* an analysis of your log entries above, it's just the way it goes quite often. It may be different in your case.
I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system.
How did you check it?
My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system.
Anybody can tell me that I am not hacked and there are only common bugs???
From the sparse data you provided, it's not easy to tell wether you've been visited by system crackers.
If this is not a production box, take it offline (you did that already - good), save some files you'll need later and *wipe* the box. Install a fresh new Linux and step forth by securing your system. Start from the SuSE Security FAQ ( http://www.susesecurity.com/faq ).
The same goes for other boxes in your net. Prolly some of your boxes (Win?!) is inherently insecure and gave way after being hit by CodeRed(II) and relatives.
However, all that are just guesses. It's hard to tell without the proper data.
Praise
Boris Lorenz
--- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com