On Wednesday 14 May 2003 22:35, Wolfgang Eul wrote:
Hi there!
I have a little problem with our Linux server and I don't know, if it's perhaps a security problem.
We run a samba server with SuSE 7.3
Last days, it behaves a little bit strange:
At the first time, I wasn't able to login at the console with the root account. After entering the username root, nothing happens. From remote with ssh, I could login.
Now, after some days, no root login is possible - even ssh says "access denied"
When I login as normal user, I see two files in the root directory of the volume named "devory" and "slamet". I didn't create the files. They have the same date attribute and nearly the same time attribute.
The server itself seems to work without problems.
Is this a security problem, a hard disk problem or what else?
You've been hacked!! Take the machine off the net immediatly because someone else owns it, and godonly knows what they are doing with it. Similar thing happened to my SuSE 7.3 box last week, and its now running 8.2. I still don't know how they got in, but I suspect it was via ssh-1 protocol, which for some reason I has not disabled. -- _____________________________________ John Andersen