[RAS] security on nebka
Thomas Krichel
krichel at openlib.org
Mon Dec 6 05:02:53 CST 2010
It looks like somebody came from khufu, got in as tim,
then changed to root using sudo. Tim is in /etc/sudoers.
Dec 1 19:41:18 nebka sshd[3389]: Accepted keyboard-interactive/pam for tim from 129.3.20.41 port 35641 ssh2
That's khufu. But I can't see how he got into khufu.
Dec 1 19:41:18 nebka sshd[3389]: pam_unix(sshd:session): session opened for user tim by (uid=0)
Dec 1 19:45:01 nebka CRON[3812]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 1 19:45:01 nebka CRON[3812]: pam_unix(cron:session): session closed for user root
Dec 1 19:46:01 nebka CRON[4269]: pam_unix(cron:session): session opened for user aras by (uid=0)
Dec 1 19:46:29 nebka sshd[4294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=informatika.brkk.hu user=root
Dec 1 19:46:31 nebka sshd[4292]: error: PAM: Authentication failure for root from informatika.brkk.hu
Dec 1 19:48:17 nebka CRON[4269]: pam_unix(cron:session): session closed for user aras
Dec 1 19:49:16 nebka su[4369]: pam_unix(su:auth): authentication failure; logname=tim uid=1001 euid=0 tty=pts/1 ruser=tim rhost= user=aras
Dec 1 19:49:19 nebka su[4369]: pam_authenticate: Authentication failure
Dec 1 19:49:19 nebka su[4369]: FAILED su for aras by tim
Dec 1 19:49:19 nebka su[4369]: - pts/1 tim:aras
Dec 1 19:49:24 nebka su[4371]: pam_unix(su:auth): authentication failure; logname=tim uid=1001 euid=0 tty=pts/1 ruser=tim rhost= user=root
Dec 1 19:49:27 nebka su[4371]: pam_authenticate: Authentication failure
Dec 1 19:49:27 nebka su[4371]: FAILED su for root by tim
Dec 1 19:49:27 nebka su[4371]: - pts/1 tim:root
Dec 1 19:49:35 nebka sudo: tim : TTY=pts/1 ; PWD=/home/aras ; USER=root ; COMMAND=/bin/su -
Dec 1 19:49:36 nebka su[4373]: Successful su for root by root
Dec 1 19:49:36 nebka su[4373]: + pts/1 root:root
I removed the user tim. I can't find a rootkit.
Cheers,
Thomas Krichel http://openlib.org/home/krichel
http://authorclaim.org/profile/pkr1
skype: thomaskrichel
More information about the RAS-run
mailing list