Cracker found!:
I was searching through the /var/log/message file
and found these entry from yesterday and today:
sshd[17126]: Disconnecting: crc32 compensation attack: network attack detected
sshd[17139]: Disconnecting: Corrupted check bytes on input.
adduser[17163]: new group: name=liq, gid=521
adduser[17163]: new user: name=liq, uid=521, gid=521, home=/home/liq, shell=/bin/bash
new group: name=liq1, gid=522
new user: name=liq1, uid=0, gid=522, home=/home/liq1, shell=/bin/bash
Accepted password for liq from 212.199.171.187 port 1214
sshd[17186]: Disconnecting: Corrupted check bytes on input.
Could not reverse map address 212.199.171.187.
PAM_unix[17297]: (system-auth) session opened for user liq by (uid=0)
PAM_unix[17322]: (system-auth) session opened for user liq1 by liq(uid=521)
adduser[17439]: new group: name=satan, gid=523
adduser[17439]: new user: name=satan, uid=522, gid=523, home=/home/satan, shell=/bin/bash
userdel[17467]: delete usersatan'
userdel[17467]: remove groupsatan'
adduser[17470]: new group: name=satan, gid=523
adduser[17470]: new user: name=satan, uid=522, gid=523, home=/home/satan, shell=/bin/bash
A bigger excerpt is here:
www.rocnet.com/hack/crack1.html
So NOW what?
* These entries for this user are gone from group and passwd
* DNS reverse lookup turns up NOTHING for 212.199.171.187
AND
Do I really need to start over or is it possible to clean
up this mess?
Expletives [*****************] here!
-Bob