help analyzing an attack
Dave Cramer
davec-zxk95TxsVYDyHADnj0MGvQC/G2K4zDHf at public.gmane.org
Wed Apr 18 03:34:06 UTC 2007
Someone managed to get into one of my machines. I caught it fairly
early. However I still don't know how he got root
Here's how he hid his files
cd /dev/shm
mkdir " "
cd " "
Here's the logs from secure
Apr 17 17:34:58 fileserver sshd[15258]: Accepted password for alex
from ::ffff:86.126.15.187 port 1088 ssh2
Apr 17 17:35:18 fileserver userhelper[15290]: pam_timestamp: updated
timestamp file `/var/run/sudo/root/unknown'
Apr 17 17:35:18 fileserver userhelper[15291]: running '/usr/share/
system-config-samba/system-config-samba.py' with root privileges on
behalf of 'root'
Apr 17 17:36:42 fileserver userhelper[15301]: pam_timestamp: updated
timestamp file `/var/run/sudo/root/unknown'
Apr 17 17:36:42 fileserver userhelper[15302]: running '/usr/share/
system-config-users/system-config-users' with root privileges on
behalf of 'root'
Apr 17 17:37:15 fileserver userhelper[15307]: pam_timestamp: updated
timestamp file `/var/run/sudo/root/unknown'
Apr 17 17:37:15 fileserver userhelper[15308]: running '/usr/share/
system-config-samba/system-config-samba.py' with root privileges on
behalf of 'root'
Apr 17 17:37:30 fileserver userhelper[15311]: pam_timestamp: updated
timestamp file `/var/run/sudo/root/unknown'
Apr 17 17:37:30 fileserver userhelper[15312]: running '/usr/share/
system-config-users/system-config-users' with root privileges on
behalf of 'root'
Apr 17 17:43:30 fileserver sshd[15336]: pam_succeed_if: requirement
"uid < 100" not met by user "alex"
Apr 17 17:43:30 fileserver sshd[15336]: Accepted password for alex
from ::ffff:86.126.15.187 port 1169 ssh2
any suggestions ?
I'm checking for root kits now
Dave
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list