help analyzing an attack
Jamon Camisso
jamon.camisso-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Wed Apr 18 04:24:04 UTC 2007
Dave Cramer wrote:
> Someone managed to get into one of my machines. I caught it fairly
> early. However I still don't know how he got root
>
> Here's how he hid his files
>
> cd /dev/shm
> mkdir " "
> cd " "
>
>
> Here's the logs from secure
>
> Apr 17 17:34:58 fileserver sshd[15258]: Accepted password for alex from
> ::ffff:86.126.15.187 port 1088 ssh2
> Apr 17 17:35:18 fileserver userhelper[15290]: pam_timestamp: updated
> timestamp file `/var/run/sudo/root/unknown'
> Apr 17 17:35:18 fileserver userhelper[15291]: running
> '/usr/share/system-config-samba/system-config-samba.py' with root
> privileges on behalf of 'root'
> Apr 17 17:36:42 fileserver userhelper[15301]: pam_timestamp: updated
> timestamp file `/var/run/sudo/root/unknown'
> Apr 17 17:36:42 fileserver userhelper[15302]: running
> '/usr/share/system-config-users/system-config-users' with root
> privileges on behalf of 'root'
> Apr 17 17:37:15 fileserver userhelper[15307]: pam_timestamp: updated
> timestamp file `/var/run/sudo/root/unknown'
> Apr 17 17:37:15 fileserver userhelper[15308]: running
> '/usr/share/system-config-samba/system-config-samba.py' with root
> privileges on behalf of 'root'
> Apr 17 17:37:30 fileserver userhelper[15311]: pam_timestamp: updated
> timestamp file `/var/run/sudo/root/unknown'
> Apr 17 17:37:30 fileserver userhelper[15312]: running
> '/usr/share/system-config-users/system-config-users' with root
> privileges on behalf of 'root'
> Apr 17 17:43:30 fileserver sshd[15336]: pam_succeed_if: requirement "uid
> < 100" not met by user "alex"
> Apr 17 17:43:30 fileserver sshd[15336]: Accepted password for alex from
> ::ffff:86.126.15.187 port 1169 ssh2
>
> any suggestions ?
>
> I'm checking for root kits now
If it's a compromised root account, you're best off backing up your data
and reinstalling.
Jamon
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list