[PLUG] Got hacked last night - HELP!
Bill Thoen
bthoen at gisnet.com
Mon Oct 4 15:19:02 UTC 2004
Well, lucky me. My RH 8 box got hacked again. That makes Linux just as
insecure as Windows. The only visible damage (so far) was that my home web
page got changed to "un-root crew ownz you."
But what happened? There is nobody who should be creating users named
'luis' or 'dudu', but here's what I have in /var/log/secure.1:
Oct 2 09:37:06 gisnet sshd[467]: Bad protocol version identification
'NICK idz' from 200.146.22.105
Oct 2 09:37:58 gisnet useradd[484]: new user: name=dudu, uid=0, gid=0,
home=/home/dudu, shell=/bin/bash
Oct 2 09:38:41 gisnet sshd[487]: ROOT LOGIN REFUSED FROM 63.164.60.12
Oct 2 09:38:41 gisnet sshd[487]: Failed password for dudu from
63.164.60.12 port 43195
Oct 2 09:38:41 gisnet sshd[487]: fatal: monitor_read: unsupported
request: 24
Oct 2 09:38:49 gisnet useradd[492]: new group: name=luis, gid=504
Oct 2 09:38:49 gisnet useradd[492]: new user: name=luis, uid=504,
gid=504, home=/home/luis, shell=/bin/bash
Oct 2 09:38:56 gisnet sshd[494]: Accepted password for luis from
63.164.60.12 port 43518
Oct 2 09:41:08 gisnet sshd[496]: Disconnecting: Command terminated on
signal 9.Oct 2 09:41:31 gisnet userdel[1180]: delete user `luis'
Oct 2 09:41:31 gisnet userdel[1180]: remove group `luis'
Oct 2 09:41:33 gisnet userdel[1181]: delete user `dudu'
Oct 2 09:47:00 gisnet useradd[1204]: new group: name=dudu, gid=504
Oct 2 09:47:00 gisnet useradd[1204]: new user: name=dudu, uid=504,
gid=504, home=/home/dudu, shell=/bin/bash
Oct 2 09:47:40 gisnet sshd[1221]: Accepted password for dudu from
63.164.60.12 port 52405
What else should I check? At the very least how do I keep 63.164.60.12 out
of my SSH system?
- Bill Thoen
More information about the PLUG
mailing list