Mark Foster wrote:
Malcolm Ferguson wrote:
My machine was cracked on Thursday evening. I'm trying to understand how it happened so that it doesn't go down again.
Sounds to me like you know exactly how it happened - ssh user enumeration won the jackpot.
Thanks: you got me thinking. I see exactly what happened now. A dictionary attack via ssh found user 'steve' with a weak password. The auth.log shows this user login and su to root. Perhaps a local exploit?
Summary:
Mar 25 02:42:48 erin-and-malc sshd[26185]: Accepted password for steve from 193.170.65.146 port 27310 ssh2
Mar 25 02:42:48 erin-and-malc PAM_unix[26197]: (ssh) session opened for user steve by (uid=1008)
Mar 25 02:44:03 erin-and-malc newgrp[26309]: user `steve' switched to group `steve'
Mar 25 02:44:52 erin-and-malc PAM_unix[25314]: (ssh) session closed for user steve
Mar 25 02:44:52 erin-and-malc sshd[25314]: PAM pam_putenv: delete non-existent entry; MAIL
Mar 25 02:46:52 erin-and-malc su[26394]: + pts/1 root-root
Mar 25 02:46:52 erin-and-malc PAM_unix[26394]: (su) session opened for user root by steve(uid=0)
Mar 25 02:47:42 erin-and-malc PAM_unix[26416]: Password for steve was changed
Mar 25 02:52:31 erin-and-malc su[26534]: + ttyp0 root-steve
Mar 25 02:52:31 erin-and-malc PAM_unix[26534]: (su) session opened for user steve by (uid=0)
Mar 25 02:52:43 erin-and-malc PAM_unix[26197]: (ssh) session closed for user steve
Mar 25 02:52:43 erin-and-malc sshd[26197]: PAM pam_putenv: delete non-existent entry; MAIL
etc..
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
