Hi, today in the early morning I had something like an attack on my linux system here. After the attack, I couldn't login as root any more. I found out, that it was not possible to set a password in the "shadow password system" any more. I can use only the "normal" password mechanism. My log-files showed me some hints to the attacker (if it is any):
Sep 15 00:13:29 d64s_pattr imapd[16408]: connect from 134.102.152.136 Sep 15 00:13:29 d64s_pattr imapd[16409]: connect from 134.102.152.136 Sep 15 00:13:34 d64s_pattr imapd[16410]: connect from 134.102.152.136 Sep 15 00:13:38 d64s_pattr imapd[16411]: connect from 134.102.152.136 Sep 15 00:13:39 d64s_pattr imapd[16412]: connect from 134.102.152.136 Sep 15 00:14:59 d64s_pattr imapd[16413]: connect from root@155.207.113.137 Sep 15 00:17:12 d64s_pattr in.telnetd[16417]: connect from 24.95.241.60 Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com' Sep 15 00:17:23 d64s_pattr su: (to www) shizat on /dev/ttyp1 . . . Sep 15 06:53:14 d64s_pattr su: (to nobody) root on none
In my warn-file I found the following entry:
Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com'
How is such an attack possible and more important: how can I prevent such an intrusion? I am using a SuSE Linux 5.2 with a 2.0.33 kernel Thanks for your help in advance Gerd