On 3/2/21 1:21 PM, James Knott wrote:
On 2021-03-02 1:55 p.m., Per Jessen wrote:
James Knott wrote:
James: have you tried running rkhunter on the infected host? It can be loaded via YaST if necessary. Done that. and it found nothing ?
I found several warnings. I'm checking them now.
Hopefully you have off-line backups. If I were you, after trying to determine how this happened, I'd slick the disk and reinstall everything from scratch. I was already thinking about that. Any chance 15.3 will be available soon?
btw, the shadow password file was changed at the same time as that .dhcpd file was created. Since there were only 3 login password in it and I know 2 of them still work, I assume the test account password was changed. I changed the password and set the account to not allow login. My next step is to remove the test user entirely. sometimes just grepping for 'ssh' in /var/log/messages will show you a login from an unknown ip address.
That appears to be the way they got in. I just realized I had ssh opened in my firewall for testing recently and forgot to close it. I have changed the password and disabled login for that account. I will be removing the account entirely.
It came from 61.177.173.3, which is in China.
Would have never gotten it... iptables is your friend: -A INPUT -s 61.0.0.0/8 -j DROP -- David C. Rankin, J.D.,P.E.