Hallo,
there are numerous brute force ssh attacks in the web. I was quite curious, and for fun, I created the typical user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing, which you obviously don't.
Yesterday, such a ssh login was successful for users
kevin and daikanyama. The hackers changed the passwords for both logins. They installed a certain program "undernet" as daikanyama and started a program called mech.
After some minutes, I removed the network cable, killed all the processes of the users and disabled these users.
You don't just unplug network cable. You wipe off machine and reinstall it from scratch. Simple as that.
Then, I figured out that some programs as grep did not work. I rebooted the machine, but during the reboot I got various "segmentation faults", "illegal instructions", ....
Yeah, they were probably script kiddies who had no clue what they were doing, and they installed corrupted rootkit. If they knew what they were doing, you'd never notice any files changes. See my previous comment about reinstalling machine from scratch.
My question is: They did not guess the root password, how did they manipulate files which are only writable by root???
They don't need to guess root's password. All they need is a single setuid root buggy executable. Either you didn't have security updates installed, or the kids got their hands on yet unreported exploit (somehow, somewhere).
Is anyone interested in log-files or in the programs which the hackers installed under daikanyama?
I don't see why. In most probability, they installed some robots that can be controlled from IRC, that would enable them to perform DDoS using your machine (and dozens or hundreds of other machines).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
