Re: My machine was hacked - possibly via sshd?

[Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>]

Mark Foster wrote:

> Malcolm Ferguson wrote:
>
> > My machine was cracked on Thursday evening.  I'm trying to understand 
> > how it happened so that it doesn't go down again. 
>
>
> Sounds to me like you know exactly how it happened - ssh user 
> enumeration won the jackpot.


Thanks: you got me thinking.  I see exactly what happened now.  A 
dictionary attack via ssh found user 'steve' with a weak password.  The 
auth.log shows this user login and su to root.  Perhaps a local exploit?

Summary:
Mar 25 02:42:48 erin-and-malc sshd[26185]: Accepted password for steve 
from 193.170.65.146 port 27310 ssh2
Mar 25 02:42:48 erin-and-malc PAM_unix[26197]: (ssh) session opened for 
user steve by (uid=1008)
Mar 25 02:44:03 erin-and-malc newgrp[26309]: user `steve' switched to 
group `steve'
Mar 25 02:44:52 erin-and-malc PAM_unix[25314]: (ssh) session closed for 
user steve
Mar 25 02:44:52 erin-and-malc sshd[25314]: PAM pam_putenv: delete 
non-existent entry; MAIL
Mar 25 02:46:52 erin-and-malc su[26394]: + pts/1 root-root
Mar 25 02:46:52 erin-and-malc PAM_unix[26394]: (su) session opened for 
user root by steve(uid=0)
Mar 25 02:47:42 erin-and-malc PAM_unix[26416]: Password for steve was 
changed
Mar 25 02:52:31 erin-and-malc su[26534]: + ttyp0 root-steve
Mar 25 02:52:31 erin-and-malc PAM_unix[26534]: (su) session opened for 
user steve by (uid=0)
Mar 25 02:52:43 erin-and-malc PAM_unix[26197]: (ssh) session closed for 
user steve
Mar 25 02:52:43 erin-and-malc sshd[26197]: PAM pam_putenv: delete 
non-existent entry; MAIL
etc..