Yup, On 11-Oct-01 Stefan Suurmeijer wrote:
Disconnect it from the internet, but don't wipe it until you are sure what happened. I wouldn't even power it down until you have checked it for running daemons etc. Check http://www.cert.org/tech_tips/root_compromise.html for steps to take to find out if you were indeed hacked.
yeah, I agree with you, first the analysis, then the scratching. But think of this: Would this post "Am I hacked???" appear in this list if the sender had skills in forensic-/post mortem system analysis? I guess not.
Those wtmp entries are indeed strange. Are you logging failed attempts as well (lastb)? If so do you see strangeness there as well? As for the connect from root@ etc: those are not local users, those are the remote users connecting to your system. Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp port. As you obviously don't know this machine, this may have been an attempt to gain illegal access, but from the log entries you provide we can't see if it was successful. Once you've found out exactly what happened, THEN wipe the machine. If you re-install without knowing how (and if) they got in, chances are you will leave the same hole open again and they will just get back on after you've reinstalled.
A post mortem analysis of a host believed to be cracked is a MUCH, MUCH more complicated process than ANY secure installation of a Linux system could ever be. It takes YEARS for professional analysts before they're able to do their work properly, so personally I would not recommend that to a newbieish-to-security lifeform ;) (NO puns intended!)... On the other hand, securely installing a Linux box is no trivial, but manageable task; install, switch off any unwanted services, install all relevant security patches, firewall it, go online, and keep up-to-date with the latest vulnerabilites. One finds a helluva lot more info about that than about system analysis, for obvious reasons. However, the link you provided to CERT's got-root'ed tips really is a good place to start; I have put a more compact version of this topic into the SuSE FAQ at http://www.susesecurity.com/faq ("One of my servers has been cracked open and overtaken by intruders. What now?") as well. Sorry for my rant ;) Happy hunting!
HTH
Stefan
Boris Lorenz