LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-31-2010, 04:04 PM   #1
booyeeka
LQ Newbie
 
Registered: Apr 2010
Posts: 12

Rep: Reputation: 0
[urgent] strange login, please help!!!


i notice that somebody was on my server, logged with username: bin

Code:
cat /var/log/secure* |grep ssh |grep Accept
Code:
Jul 25 01:22:30 myserver sshd[12247]: Accepted password for bin from 79.114.xxx.yyy port 35360 ssh2

in file /etc/passwd, for user bin i have

Code:
bin:x:1:1:bin:/bin:/bin/bash
/etc/shadow:

Code:
bin:$1$C1ghUq8B$Pidnj3BWDYRhNW96LHmTG/:14721:0:99999:7:::


please advice me what to do!

Last edited by booyeeka; 07-31-2010 at 04:08 PM.
 
Old 07-31-2010, 04:25 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
this is not urgent for the voluntary community here, please do not demand priority attention.
 
Old 07-31-2010, 04:26 PM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
but as for what to do, reinstall your system. only way to ever have full confidence that there is nothing else to worry about. You can use things like rkhunter to check over your files, but in general it's not water tight.
 
Old 08-02-2010, 03:01 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
In addition to re-installing, try to learn from this and take steps so that it never happens again. For example, did you have passwords enabled on SSH? If so, turn it off and use keys. Do you have an application like fail2ban installed which will make it exponentially harder for someone to try to gain access? Is the system physically secure? Are you using VNC in an unsecured means, such as without an SSH tunnel?
 
Old 08-02-2010, 11:08 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,954

Rep: Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814
Quote:
Originally Posted by booyeeka View Post
i notice that somebody was on my server, logged with username: bin

Code:
cat /var/log/secure* |grep ssh |grep Accept
Code:
Jul 25 01:22:30 myserver sshd[12247]: Accepted password for bin from 79.114.xxx.yyy port 35360 ssh2
in file /etc/passwd, for user bin i have
Code:
bin:x:1:1:bin:/bin:/bin/bash
/etc/shadow:
Code:
bin:$1$C1ghUq8B$Pidnj3BWDYRhNW96LHmTG/:14721:0:99999:7:::
please advice me what to do!
Aside from what's been said already...did you actually look at the offending address? Is it internal to your company, or external? Is the Linux system behind firewalls, etc., and did you check with your other users to see if anyone had logged in on purpose??

Since it's **URGENT**, try supplying some decent information...things like version/distro of Linux, the environment the box is in, etc. Saying "someone logged in, help!!" doesn't give us much to go on.
 
Old 08-02-2010, 02:04 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by acid_kewpie View Post
but as for what to do, reinstall your system.
Without investigating the (perceived) breach re-installation could expose the same infection vector (if any). So please don't give that advice but point them to the CERT link, isolate the machine if necessary and ask them to wait for more knowledgeable people or our LQ Security incident handlers (Unixfool, Hangdog42, win32sux, me) to take over, TIA.
 
Old 08-04-2010, 03:58 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
booyeeka, you've got several LQ members here willing to help you out, but your cooperation is necessary in order for that to happen. What is your current status? We haven't heard from you in days! Ideally, this machine should have been isolated the moment a breach was suspected/detected, with a dedicated firewall configured to allow access only from your administrative IP(s). At that point, going through the CERT/CC Intruder Detection Checklist is usually a good idea. Did you take any such action? What other anomalies have you spotted on this server? Running your log files through something like Logwatch can prove quite useful in these cases. BTW, please obtain a snapshot of the general system state, which can be done by running these commands as root (thanks unSpawn):
Code:
ps axfwwwe -eo ppid,pid,uid,cmd --sort=ppid
Code:
lsof -Pwn
Code:
netstat -anpe
Code:
lastlog
Code:
last
I recommend sending the output of the commands via SSH to a secure location. FWIW, I agree that re-installation might be inevitable (especially given that you don't seem to have HIDS data to work with), but without doing at least basic investigation to find out what happened you risk re-creating the same vulnerability which was exploited. All that said, it's been quite a while since your last post so the suggestions here may not be applicable any more. Please let us know where you stand.

Last edited by win32sux; 08-04-2010 at 04:23 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Very Urgent! Strange msg in /var/log/messages sathyguy Linux - Newbie 3 07-27-2006 04:07 AM
urgent login help for suse9.1 irish rebel Linux - Distributions 3 06-22-2004 10:25 AM
Strange C program -- urgent! vinay_s_s Programming 9 02-17-2004 09:44 PM
URGENT: sendmail setup questions + acting up strange macie Linux - Networking 5 12-29-2003 08:10 PM
Squid and FTP servers - very strange and urgent problem Zingaro2002 Linux - Networking 1 11-10-2003 04:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration