What connection? Are you saying someone logged in from an IP that couldn't possibly be the real user's IP? That is a good reason to think the user's account was compromised. But that doesn't mean they got root access. This kind of thing happens all the time. If you are running a server with ssh access for lots of accounts, it's not particularly rare for someone to get a password for one of your end users. They can get it by guessing. They guess passwords by geting the user's facebook or twitter password and then trying it on your machine. Or they brute force it by guessing every possible password. If someone's password is 12345, it doesn't take long. Do you have some reason to think the hacker got root access other than that an end user's account was compromised? On 07/09/14 13:27, David Mehler wrote:
Hello,
Thank you. I would tend to agree. I've gone back and checked the reverse IP of the connection it's definitely a breech. I've got hidden directories under several places in the filesystem, nothing under /tmp, I don't get how this was done? Am I dealing with a rootkit or not?
I ran chkrootkit which reported the suckit rootkit but running rkhunter revealed nothing, and both were fully updated. I've done google searching and apparently that suckit rootkit diagnosis has a history of false positives with chkrootkit.
Any help appreciated.
Thanks. Dave.
On 7/9/14, Scott Granados <scott@granados-llc.net> wrote:
This sounds to me like you got owned. I've noticed that a lot of penetrations like that have hidden directories and or stuff set up under /tmp. Remember that openssl needed to be updated recently as well as anything compiled using it. Not sure in your case whether they were fully successful but if directories appeared I'd tend to think so.
On Jul 9, 2014, at 1:50 AM, David Mehler <dave.mehler@gmail.com> wrote:
Hello Everyone,
I'm running an fc20 Linux linode. I'll admit the past two months I've not been paying as much attention to it as I should, with a bunch of unexpected stresses.
That being said it is fully up to date, I do that daily and it is running a firewall as well as the fail2ban software for automated bots defense.
Tonight I checked my email and noticed two from an account on my system sent to me that is my account. I've got all root email forwarded to my account to read it. Now two things, first this account shouldn't have got any cron reports, second since I use virtual users and they're all in a database that user shouldn't have been able to send email from my server to me.
I checked the account on the server and noticed a hidden directory called .local under which there was a share directory and a system directory under that. Finally there is a broken symbolic link called user which points or pointed I should say to a now nonexistent file and folder which do not exist.
I've got an email out to the user, and I've checked the password file for any accounts with login shells, nothing new has come up.
If this was an attempted root breakin with a rootkit this user is not in th e sudoers file so I think I'm safe there.
I'd like to hear your thoughts on this, and some further steps I can take on this issue to either confirm or refute as to whether I've been breeched.
Thanks. Dave.
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
-- --- John G. Heim, 608-263-4189, jheim@math.wisc.edu