ok i had an unknown person ssh'ed onto my server, anyways he was logged on as root, most likely a pc somewhere in the office i didnt log off since im the only one witht the root passwd. I did a pkill root and it kicked me out also and i cant ssh back in, what can i do at this point, this is serious btw so no laughing. thanks a million.

If you have access power off the thing now or ask someone to power it off. We'll handle the rest later.

K, so after the reset the processes will come back and i can ssh?

No, I'd rather you POWER OFF the box and don't disturb it until you can boot a Live or rescue CD.
BTW, is the box local or remote? If it appears to be a box on the LAN is compromised you'll have to take care of that first by alerting someone to take care of it or denying inbound access on the router to that segment and killing that box.

Ok, i found out it was a pc i thought it was off and it had the same file open, in other words there is no security breach. The box is at a nap, ill have to pass by tonight to reset it, i just scared that once i have phisically rebooted the machine,that it will let me back in and bring all the processes up again.

First off, don't entitle a topic "Heeeeeeeeeeeelp!!!" - Instead, describe the problem with an intelligent phrase.

Can you log in locally? If not, then bashrc, bash_profile, .login, or another startup script is probably malconfigured. Boot to single user mode or from a live CD and check the files. Also, check /etc/passwd to make sure that the login shell for root is configured as bash or something else reasonable, and that the MD5 signture of that instance of bash matches what you actually installed.

Actually, the ideal solution? If you are not absolutely, positively 100% certain you can find the exploit, back up your data, key configuration files (e.g., /etc/httpd, /etc/X11, etc/), your data, and anything else that is important then wipe the system and either restore from a backup or reinstall and copy your data (and config files) back to the new installation. You may actually save yourself a LOT of time that way.

If you don't want to R&R, then do the following:

Now, for the first step, can you log in locally? If so, the first thing you should do is install and run clamav, chkrootkit(http://www.chkrootkit.org/), and rkhunter (http://www.rootkit.nl/) on the entire filesystem to help ID compromised executables, and also known-bad executables. Check the usual suspects (/etc/ssh/, etc/passwd, etc.) for back doors. Check your /etc/init.d/ (runlevel) configuration to make sure that nothing unusual is being launched. I'd say to check timestamps on the init files to see if anything has been touched, but a good cracker would have touched the files to backdate mtime, ctime, and atime to evade suspicion, so your only recourse will be to either:

- diff the files against a KNOWN-clean system

or

- Examine each and every startup script to ID any potential back doors s/he added to the system

Eh, you know what? It's SO much work that you're best off restoring your most recent backup. I've cleaned systems before but unless you have a good basis for comparing the current config to the past (MD5 signatures or other method) or unless you've run rkhunter and/or chkrootkit from the very beginning and kept a history of changes, don't trust the system, unless it's just a toy in which case what's the big deal?

Good to hear it's no breach of security.
One down, two to go.
(Still, what's someone doing logged in as root? Is that really necessary? But OK...)

//Not that it's not appreciated, but using "preview post" before posting may save typing. Apparently a lot of people don't use the feature.

Im 100% sure there is no security breach whatsoever, Ill be going phisically to reset the machine. We do have an APC that can be remote managed but no one has the passwd, so ill have to phisically reset the pass on that one while im in there.

Not that it's not appreciated, but if I'd clicked "preview post" and saw that the original poster had posted an update in the meantime, it'd not have saved me a single keystroke. Thanks, though!

Today i walked to the actual server on the POP and it was completely frozen.I turned it off and on again, and it booted up just fine, all the processes run just fine. And i didnt get fired for bringing it down, So whats to learn fromall of this, perhaps.. tontt input a command before thoroughlydoing your research, and second, this forum pwns!!

i didnt get fired for bringing it down
Cool


So whats to learn fromall of this, perhaps.. tontt input a command before thoroughlydoing your research
And maybe use more than one means of access for critical servers, like adding an (out of band) console server, monitoring and making sure services stay up and run Xinetd's backupssh on a different port ACL'ed to your management IP (range)?

BTW I'll change the thread title to "Possible ssh breach".
"Heeeeeeeeeeeelp!!!" just isn't descriptive enough...

@ xtremeclones:

just by chance i'm reading a book all about this kind of stuff. it called "Hardening Linux" and has everything to help make your server (neraly)bullet-proof.

i cant scan it for you :P , but i will leave you with the deatils so you can get it. it only cost $40 (sounds like a lot for a book, but well worth it to keep hackers out):

title: Hardening Linux
publisher: McGraw-Hill / Osborne
ISBN: 0-07-225497-1


you wont regret it i promisse