i notice that somebody was on my server, logged with username: bin


in file /etc/passwd, for user bin i have

/etc/shadow:



please advice me what to do!

this is not urgent for the voluntary community here, please do not demand priority attention.

but as for what to do, reinstall your system. only way to ever have full confidence that there is nothing else to worry about. You can use things like rkhunter to check over your files, but in general it's not water tight.

In addition to re-installing, try to learn from this and take steps so that it never happens again. For example, did you have passwords enabled on SSH? If so, turn it off and use keys. Do you have an application like fail2ban installed which will make it exponentially harder for someone to try to gain access? Is the system physically secure? Are you using VNC in an unsecured means, such as without an SSH tunnel?

Aside from what's been said already...did you actually look at the offending address? Is it internal to your company, or external? Is the Linux system behind firewalls, etc., and did you check with your other users to see if anyone had logged in on purpose??

Since it's **URGENT**, try supplying some decent information...things like version/distro of Linux, the environment the box is in, etc. Saying "someone logged in, help!!" doesn't give us much to go on.

Without investigating the (perceived) breach re-installation could expose the same infection vector (if any). So please don't give that advice but point them to the CERT link, isolate the machine if necessary and ask them to wait for more knowledgeable people or our LQ Security incident handlers (Unixfool, Hangdog42, win32sux, me) to take over, TIA.

booyeeka, you've got several LQ members here willing to help you out, but your cooperation is necessary in order for that to happen. What is your current status? We haven't heard from you in days! Ideally, this machine should have been isolated the moment a breach was suspected/detected, with a dedicated firewall configured to allow access only from your administrative IP(s). At that point, going through the CERT/CC Intruder Detection Checklist is usually a good idea. Did you take any such action? What other anomalies have you spotted on this server? Running your log files through something like Logwatch can prove quite useful in these cases. BTW, please obtain a snapshot of the general system state, which can be done by running these commands as root (thanks unSpawn):I recommend sending the output of the commands via SSH to a secure location. FWIW, I agree that re-installation might be inevitable (especially given that you don't seem to have HIDS data to work with), but without doing at least basic investigation to find out what happened you risk re-creating the same vulnerability which was exploited. All that said, it's been quite a while since your last post so the suggestions here may not be applicable any more. Please let us know where you stand.