[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)


On Thursday 21 July 2005 22:52, Goswin von Brederlow wrote:
> > I don't know which user account got hacked, if this was what has
> > happened.
> Did you check the last lock? Maybe the attacker didn't remove the
> traces there.

He ran the mentioned logclean binary, the content of wtmp is not to be 
trusted, I'd say. There's nothing in it for the second break-in, except my 
logins after he had been there already. For the first break-in, this is what 
last tells me:
 karsten  pts/3        pd95b7e26.dip0.t Tue Jul 19 10:44 - 11:05  (00:21)
 morris   pts/2    Tue Jul 19 04:17    gone - no logout
 morris   pts/1    Tue Jul 19 04:09 - 11:53  (07:44)
 karsten  pts/0        pd95b7e26.dip0.t Mon Jul 18 17:04 - 17:08  (00:04)

So that's nothing on the day of the attack, and after those two morris logins, 
nothing but myself. And no login on record from which he gained root access 
and created the morris user.

> Did you check if any users have their secret ssh key on your system

They didn't.


PS: If it wasn't as bad as it is, this would be really interesting. I like 
investigating things... :/
This email is ROT26 encrypted, by reading it you are in violation of the
DMCA, and should turn yourself in to the authorities immediately.
                                                           (Chris Berry)

Reply to: