help analyzing an attack

Wed Apr 18 04:24:04 UTC 2007

Dave Cramer wrote:
> Someone managed to get into one of my machines. I caught it fairly 
> early. However I still don't know how he got root
> 
> Here's how he hid his files
> 
> cd /dev/shm
> mkdir " "
> cd " "
> 
> 
> Here's the logs from secure
> 
> Apr 17 17:34:58 fileserver sshd[15258]: Accepted password for alex from 
> ::ffff:86.126.15.187 port 1088 ssh2
> Apr 17 17:35:18 fileserver userhelper[15290]: pam_timestamp: updated 
> timestamp file `/var/run/sudo/root/unknown'
> Apr 17 17:35:18 fileserver userhelper[15291]: running 
> '/usr/share/system-config-samba/system-config-samba.py' with root 
> privileges on behalf of 'root'
> Apr 17 17:36:42 fileserver userhelper[15301]: pam_timestamp: updated 
> timestamp file `/var/run/sudo/root/unknown'
> Apr 17 17:36:42 fileserver userhelper[15302]: running 
> '/usr/share/system-config-users/system-config-users' with root 
> privileges on behalf of 'root'
> Apr 17 17:37:15 fileserver userhelper[15307]: pam_timestamp: updated 
> timestamp file `/var/run/sudo/root/unknown'
> Apr 17 17:37:15 fileserver userhelper[15308]: running 
> '/usr/share/system-config-samba/system-config-samba.py' with root 
> privileges on behalf of 'root'
> Apr 17 17:37:30 fileserver userhelper[15311]: pam_timestamp: updated 
> timestamp file `/var/run/sudo/root/unknown'
> Apr 17 17:37:30 fileserver userhelper[15312]: running 
> '/usr/share/system-config-users/system-config-users' with root 
> privileges on behalf of 'root'
> Apr 17 17:43:30 fileserver sshd[15336]: pam_succeed_if: requirement "uid 
> < 100" not met by user "alex"
> Apr 17 17:43:30 fileserver sshd[15336]: Accepted password for alex from 
> ::ffff:86.126.15.187 port 1169 ssh2
> 
> any suggestions ?
> 
> I'm checking for root kits now

If it's a compromised root account, you're best off backing up your data 
and reinstalling.

Jamon

--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists