Hello My server was attack hacker. He tell me about this. my /etc/passwd was changed HTML: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync #games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh dhcp:x:100:101::/nonexistent:/bin/false syslog:x:101:102::/home/syslog:/bin/false klog:x:102:103::/home/klog:/bin/false smoko:x:1000:1000:SMOKO,,,:/home/smoko:/bin/bash sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin fetchmail:x:104:65534::/var/lib/fetchmail:/bin/sh bind:x:105:110::/var/cache/bind:/bin/false mysql:x:106:111:MySQL Server,,,:/var/lib/mysql:/bin/false postfix:x:107:113::/var/spool/postfix:/bin/false proftpd:x:108:65534::/var/run/proftpd:/bin/false ftp:x:109:65534::/home/ftp:/bin/false ntp:x:110:115::/home/ntp:/bin/false admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash ossec:x:1002:1002::/var/ossec:/bin/false ossecm:x:1003:1002::/var/ossec:/bin/false ossecr:x:1004:1002::/var/ossec:/bin/false Number of group 65534 what is this?? This is hacker changed (user games was added by hacker) I install a OSSEC monitoring a i was get a info on e-mail HTML: OSSEC HIDS Notification. 2007 Dec 29 06:25:02 Received From: dragon->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user successfully logged to the system." Portion of the log(s): Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody My /var/log/auth.log was like that HTML: Dec 29 05:00:02 dragon CRON[29410]: (pam_unix) session closed for user root Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session opened for user root by (uid=0) Dec 29 05:09:01 dragon CRON[29552]: (pam_unix) session closed for user root Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session opened for user root by (uid=0) Dec 29 05:17:01 dragon CRON[29677]: (pam_unix) session closed for user root Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session opened for user root by (uid=0) Dec 29 05:30:01 dragon CRON[29836]: (pam_unix) session closed for user root Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session opened for user root by (uid=0) Dec 29 05:39:01 dragon CRON[29949]: (pam_unix) session closed for user root Dec 29 06:00:01 dragon CRON[30209]: (pam_unix) session opened for user root by (uid=0) Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session opened for user root by (uid=0) Dec 29 06:00:01 dragon CRON[30211]: (pam_unix) session closed for user root Dec 29 06:00:02 dragon CRON[30209]: (pam_unix) session closed for user root Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session opened for user root by (uid=0) Dec 29 06:09:01 dragon CRON[30370]: (pam_unix) session closed for user root Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session opened for user root by (uid=0) Dec 29 06:17:01 dragon CRON[30476]: (pam_unix) session closed for user root Dec 29 06:25:01 dragon CRON[30576]: (pam_unix) session opened for user root by (uid=0) Dec 29 06:25:01 dragon su[30607]: Successful su for nobody by root Dec 29 06:25:01 dragon su[30607]: + ??? root:nobody Dec 29 06:25:01 dragon su[30607]: (pam_unix) session opened for user nobody by (uid=0) Dec 29 06:25:01 dragon su[30607]: (pam_unix) session closed for user nobody Dec 29 06:25:01 dragon su[30609]: Successful su for nobody by root Dec 29 06:25:01 dragon su[30609]: + ??? root:nobody Dec 29 06:25:01 dragon su[30609]: (pam_unix) session opened for user nobody by (uid=0) Dec 29 06:25:01 dragon su[30609]: (pam_unix) session closed for user nobody Dec 29 06:25:01 dragon su[30611]: Successful su for nobody by root Dec 29 06:25:01 dragon su[30611]: + ??? root:nobody Dec 29 06:25:01 dragon su[30611]: (pam_unix) session opened for user nobody by (uid=0) Dec 29 06:25:03 dragon su[30611]: (pam_unix) session closed for user nobody Dec 29 06:26:35 dragon CRON[30576]: (pam_unix) session closed for user root Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session opened for user root by (uid=0) Dec 29 06:30:01 dragon CRON[11022]: (pam_unix) session closed for user root Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session opened for user root by (uid=0) Dec 29 06:39:01 dragon CRON[11135]: (pam_unix) session closed for user root Dec 29 07:00:01 dragon CRON[11432]: (pam_unix) session opened for user root by (uid=0) I'm sorry but my english is not well ;( Please help me
If you want to know the name of the group, have a look at the /etc/group file. Did you install all available updates for your linux distribution? Please check your system with rkhunter: http://www.rootkit.nl
hello For The admin server who was hacked .. what is your Ubuntu kernel version and i wanna tell ya ..rk-hunter don`t work all the time .. belive me .. ) .. if .. the rk is a troian .. yes is possible to be detect .. if is not .. then you have a problem .. or .. if the man who enter on your comp .. don`t put a rootkit on him .. then you'll have a prob .. try a socklist .. and see the ports .. if you are intrested to talk more about that .. [email protected] contact me!
Hacking Attack???? looking at your log, it does not appear to be something you need to worry about. those entries are showing a cron job doing its thing. it is not something you need to worry about. I have the same entries in my log Root is 'su'ing to 'nobody' to run a scheduled system service or a cron job...It starts the service then hands it over to 'nobody'. oh, and 65534 is uid for user 'nobody', you probably have cron jobs running for various services... you may also want to check your /etc/cron.daily/ directory.
Indexing cron for "locate" command. I think some will appreciate this addition to this old thread. I spent some time figuring this out. The cron job that runs the index update for the locate command causes the following log entries in auth.log: Sep 14 22:48:14 mydomain su[24053]: Successful su for nobody by root Sep 14 22:48:14 mydomain su[24053]: + ??? root:nobody Sep 14 22:48:14 mydomain su[24053]: pam_unix(su:session): session opened for user nobody by (uid=0) Sep 14 22:48:14 mydomain su[24053]: pam_unix(su:session): session closed for user nobody Sep 14 22:48:14 mydomain su[24055]: Successful su for nobody by root Sep 14 22:48:14 mydomain su[24055]: + ??? root:nobody Sep 14 22:48:14 mydomain su[24055]: pam_unix(su:session): session opened for user nobody by (uid=0) Sep 14 22:48:14 mydomain su[24055]: pam_unix(su:session): session closed for user nobody Sep 14 22:48:14 mydomain su[24057]: Successful su for nobody by root Sep 14 22:48:14 mydomain su[24057]: + /dev/pts/0 root:nobody Sep 14 22:48:14 mydomain su[24057]: pam_unix(su:session): session opened for user nobody by myself(uid=0) Sep 14 22:48:20 mydomain su[24057]: pam_unix(su:session): session closed for user nobody Although these types of log entries look very suspecious, especially in the auth.log, they are quite normal if the locate command is installed. Also, other cron jobs or action may make similar entires. If you wish to see this for yourself, run "/etc/cron.daily/locate" as root or "sudo /etc/cron.daily/locate" as sudoer, then inspect /var/log/auth.log Hopefully this will lay unwarranted fears to rest !
