Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Hi.
On Thursday 21 July 2005 22:52, Goswin von Brederlow wrote:
> > I don't know which user account got hacked, if this was what has
> > happened.
>
> Did you check the last lock? Maybe the attacker didn't remove the
> traces there.
He ran the mentioned logclean binary, the content of wtmp is not to be
trusted, I'd say. There's nothing in it for the second break-in, except my
logins after he had been there already. For the first break-in, this is what
last tells me:
karsten pts/3 pd95b7e26.dip0.t Tue Jul 19 10:44 - 11:05 (00:21)
morris pts/2 201.10.20.103 Tue Jul 19 04:17 gone - no logout
morris pts/1 201.10.20.103 Tue Jul 19 04:09 - 11:53 (07:44)
karsten pts/0 pd95b7e26.dip0.t Mon Jul 18 17:04 - 17:08 (00:04)
So that's nothing on the day of the attack, and after those two morris logins,
nothing but myself. And no login on record from which he gained root access
and created the morris user.
> Did you check if any users have their secret ssh key on your system
They didn't.
Karsten
PS: If it wasn't as bad as it is, this would be really interesting. I like
investigating things... :/
--
This email is ROT26 encrypted, by reading it you are in violation of the
DMCA, and should turn yourself in to the authorities immediately.
(Chris Berry)
Reply to: