On 21/02/2009, at 12:46 PM, Jean-Francois wrote:
Hi All,
It looks like my server running since few days has already been
hacked.
It looks like a new user called 'daemon' ID 1 and a new group daemon.
User's full name 'The devil itself' !!!! First time I find out
evidence
of hack on my server, however it's only one month running !!
It looks like ntpd was the entry daemon connected to other than ntp
site
but I'm not sure.
I am not sure at all about this, maybe one has changed the daemon.
After I checked the adresses that this daemon connected to, they were
very strange as webservers content (blogs, default page 'It works' and
so one ... I guess ntp servers shall not act like this).
Please find enclosed the ntpd server md5 print, one could check
if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ?
md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 :
a0c8961d5818b438ecbfd6c40be47a5f
Thanks for your kind help.
Ummm, not April 1st, so I'll bite.
$ md5 /usr/sbin/ntpd
MD5 (/usr/sbin/ntpd) = a0c8961d5818b438ecbfd6c40be47a5f
$ cat /etc/passwd
root:*:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin