Forum OpenACS Q&A: Response to Help! no SSH Telnet Access

Collapse
Posted by MaineBob OConnor on

Cracker found!:
I was searching through the /var/log/message file and found these entry from yesterday and today:

sshd[17126]: Disconnecting: crc32 compensation attack: network attack detected
sshd[17139]: Disconnecting: Corrupted check bytes on input.
adduser[17163]: new group: name=liq, gid=521 
adduser[17163]: new user: name=liq, uid=521, gid=521, home=/home/liq, shell=/bin/bash 
new group: name=liq1, gid=522 
new user: name=liq1, uid=0, gid=522, home=/home/liq1, shell=/bin/bash 
Accepted password for liq from 212.199.171.187 port 1214
sshd[17186]: Disconnecting: Corrupted check bytes on input.
Could not reverse map address 212.199.171.187.
PAM_unix[17297]: (system-auth) session opened for user liq by (uid=0)
PAM_unix[17322]: (system-auth) session opened for user liq1 by liq(uid=521)
adduser[17439]: new group: name=satan, gid=523 
adduser[17439]: new user: name=satan, uid=522, gid=523, home=/home/satan, shell=/bin/bash 
userdel[17467]: delete usersatan' 
userdel[17467]: remove groupsatan' 
adduser[17470]: new group: name=satan, gid=523 
adduser[17470]: new user: name=satan, uid=522, gid=523, home=/home/satan, shell=/bin/bash 

A bigger excerpt is here:

www.rocnet.com/hack/crack1.html

So NOW what?
* These entries for this user are gone from group and passwd
* DNS reverse lookup turns up NOTHING for 212.199.171.187
AND

Do I really need to start over or is it possible to clean up this mess?

Expletives [*****************] here!

-Bob