machine hacked ...

hi friends, i have a problem at the time of entering the machine remotly with ssh ex.:

:~# ssh [email protected]

it appears the following error

:~# ssh_exchange_identification: Connection closed by remote host

I approached the machine to see what happened physically, and it surprised to me
that it could not either enter from the same machine, what it makes me think that they did
to crack to /etc/shadow and /etc/passwd files.

the problem is how entering to the machine because i not have the root user or another one ...

please i need help because this machine is a production server, with to much email account's and resellers, etc ....

ahhh.. the email accounts don't work, the reseller account either...

thank

i dont know resolve the problem .... the machine is a Gnu/Linux Debian 4.0 with all updates and ispconfig 2.2.14 like only resource...

 

Boot into single user mode, which automatically puts you in as root, then set your password with the passwd command.

 

you can always use a live cd
and then mount / chroot to your linux partition

but keep close a live cd (always helpful)

 

ok, but the problem is that two users only exist the root and ispconfig that they can modify this files, then can i to control the ispconfig user so that it does not have east permission???,

 

it already fixes the problem, in any case what they did it was to modify the shadow, password, gshadow and group files, for that reason I think that it can have been through ispconfig server, because no other user has the possibility of modifying these files.

The other errors that appeared they were by the same problem, i solved the problem entering in single mode, and replacing the archives modified with those of backups old files, but now it appears in the name of session, to initiate the session in ssh for example, a messages as :

I have no name!@machinename:~$

I did not solve this problem yet ...

well my friend i will continue analyzing this and other problems and i'm writing them ... thank you for all the answers ...

greetings
albertux

 

the problem of ihavenoname! it was simple question of permissions to the files

grettings to all

 

That is some coincidence... I had EXACTLY THE SAME HAPPEN 15TH OCTOBER...

I am now sitting and installing fedora core 6 and installing Pleask.. sorry but I need to feel safer..

I set up a catchall email on one of the webs, after the catchall was set NONE of my passwords worked.. could not ssh into it.. would not accept root user single mode... nothing nada... 120 km drive, get the box .. install FC6 ..

Too much of a coincidence? Could there be a problem with ispconfig security here?

 

really i dont know, it is the first time than happens somethings to much great and burden, other times I had problems with mambo server for the bugs of security but never with the characteristics to put in danger all the system, and still i believe that it was throungth ispconfig, because of the rest of my Gnu/Linux Debian Etch it's update completely and similar errors have not been reported in the community...
Specially i create and guarantee the ispconfig server because, to part of this event, never it had had some other problem before, therefore i will continue using it ... although it is much coincidence really

grettings


P.D. Fedora Core it gives but insecurity me that any other package

 

i am not claiming, i am asking.. that is a difference

i have used the system for 2 yrs with no big problems, however i did get the same problem just 2-3 days after "albertux" and that is at a minimum strange.

i am checking the password files now.. it may be these but the only service being used on this box was ispconfig and by changing one users password (through ispconfig) and same time setting up a catchall for him.. this incident occured..

my /etc/passwd have rw r r attributes
my /etc/shadow only have r for root... what should it have ? same attributes as /etc/passwd ??

 

thanks. i am trying the commands.. no success, pwck only reports
"user pcap: directory /var/arpwatch does not exist" ..

corrction

running on /etc/passwd reports all users like this..

user web14_max: directory 7 does not exist
user root: directory 7 does not exist

 

yep, the problem it's that the files :

passwd
shadow
group
gshadow

they corrupt nothing else, i did, was to initiate the machine in single mode and paste the backups files of the files in the etc directory ... and the problem "i have no name" it was solved when I put the necessary permissions to him ... nothing else. you are right that can be a worm or something but as i can find, it or as I can review more meticulously, since in logs he does not appear nothing...

you know, could have been a negligence of openssl 0.9.7, that has shown security problems, but strange it it is that I have everything updated from the beginning of the operation of ispconfig.

now it can be a tiny bug or worm, because it does not let to me update the version from the panel in the port 81 of ispconfig server, it I can only do from the console untar the file and installing again...

some idea ????

 

from what I see.. everyone now is group 7.. eg..
... :7:::: in the end in the shadow file for all my users

i did not find much relief on google either...

your conclusion is right i guess, there is a problem with some of these files.. i dont have any backup of the old shadow/passwd so i have to fix what i have
the files are all fine and readable.. the box is at my desk (a noisy bastard!! ) but it does not start much services due to it not finding users, i ran it with rescue mode earlier and transferred all my important data (webs, databases etc )

The FC5 -> FC6 went fine but of course the main problem was not solved.

i will check the logs now..

 

ahhh ok thanks, ... you know, , I analyzed my version of openssl, and he is 0.9.8c, that it does not have security holes, but can be reason why I have read, that has modified me the archives before updating openssl and day 16 activated all ...


greeting and thanl you for your aid