Someone hacked one of my machines. It all started when some people were partying in my office after hours, the next morning one of the windows machines had more viruses and spyware on it than I could even count... took days to get it to a useable state.

In any event, the user I created on my network for that machine's samba connection has logged into into my ssh machine (no one ever uses that username because I created it solely for Samba) & setup a mail relay. I noticed it when my internet connection was getting really slow, so I checked the ssh machine & saw hundreds of thousands(?) of mails had been sent over the last couple days (last week). I stopped sendmail, changed the password for that user on my NIS machine, changed the shell for that user to /sbin/nologin, removed sendmail from the startup services and everything appeared to be better.

well, in my logs on the ssh machine, I see that the user I created for samba has successfully logged in through ssh again! The ip appears to come from Japan. Furthermore, a second ip tried (unsuccessfully) to log into every generic username they could think of: cgi, www-data, guest, webmaster, etc.

I have the ips of both people. Is there anything I can do? I don't neccessarily mean malicious things, I just mean can I report this to someone?

"can I report this to someone?"

You can report it to the FBI.

http://www.ifccfbi.gov/index.asp

----------------------------
Steve Stites

And it's safe to assume that you've been rooted.

Grab a liveCD with rootkit-hunter and chkrootkit,
boot the box off that and pray that clean removal
is possible. Whatever distro you're using, you need
to make sure that the MD5 sums of all executables
are the same as on the installation media. ...

That aside, this thread belongs in security, not general.


Cheers,
Tink

oops. never noticed there was a security forum.

mods, feel free to move at will.

Thanks for the suggestions.

If there was no major financial damage, the FBI may not want to devote a lot of resources to it (at least that's what I heard, but don't take my word for it--ask some of the experts in the security forum). But hopefully you learned that if an account is meant for SAMBA access only, don't give it a real login shell!

First step is to figure out if just that one account was compromised, or if the attacker got root. If you have any doubt at all, particularly since the attacker had physical access, assume the worst. The multiple failed logins sounds like one of the brute force attacks going around (see the stickied thread in the security forum) and is probably unrelated.

If the compromise was only in the local account, you may be OK just getting rid of the account and removing all its files (check /tmp, cronjobs, etc.). However, if it were me, I'd nuke the machine and reinstall from trusted media. A pain, but it's the only way to be 100% certain you've rid yourself of the attacker.

I agree with btmiller, if there's any doubt at all about having been rooted, wipe it and start fresh just to be safe.

As far as those IPs, unless they're total morons they're likely of no use anyway.

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Thanks for the thread move.

I compiled and ran a chkrootkit & it claimed everything ok,

that said, now that I've double checked that the account uses /sbin/nologin as a shell, erased the account's home dir and mail account, I still see that it logged in last night, so I'm going to wipe the machine.

As luck would have it, I made an image of an identical machine a few days before this all happened, so I'll just pull it over. Unfortunately, they appear to have found some of the real accounts on the machine (that are NIS accounts & don't live in /etc/passwd) & attempted to log in through those as well.

What a headache.

.. starting my security research now.

If these crackers are that persistant...I would deploy a honeypot or tarpit to slow them down and log their attacks on your organization.

Go to: http://honeynet.org/index.html

For more information on honeynet technology.

Goodluck,

Thorn

I would suggest, never delete anything done by someone who has comprimised your system... instead save them elsewhere only accessible by root. Then at least you can refer to what had taken place, in the event it happens again in the future. :-\