Compromised Machine

Ed Wilts ewilts at ewilts.org
Wed Sep 22 18:57:10 UTC 2004 

On Wed, Sep 22, 2004 at 11:31:02AM -0700, Brian D. McGrew wrote:
> Hello all ... I need a bit of advice here.
> 
> It would appear that one of our machines was compromised last night via 
> ssh.  It turns out that one of our accounts called 'operator' didn't 
> have a password on it (Hey, it's not 'my' machine) and someone came in 
> via ssh.  This was made obvious when we discovered the root password 
> had been changed and the 'last' showed two logins from overseas.  The 
> machine was shut down immediately and they called me.
> 
> My questions are:
> 
> 1)  As an unprivileged user, how can someone change the root password?  
> Our operator account is the lowest privileged account on the system, 
> they can't shutdown, su or do anything.  But the root password is 
> changed.

There might have been a local root exploit that you didn't patch, or
another account was used.  You can't trust any of the logs to tell you
accounts were even used.
 
> 2)  While bringing the machine back up, it hung while starting the 
> network on device eth0 with the error that said "Error loading module 
> ppp.o'.  We don't use ppp or anything even close.  This machine is on a 
> LAN and it's even very rarely logged into.  Is it feasible to think 
> that some sort of malicious software was installed or ran on the system 
> and if so, how can I tell?

Your system is compromised.  All bets are off.
 
> 3)  Short of reinstalling the system, how can I tell what was done and 
> go about fixing it?  I know a reinstall would of course do it; and in 
> the case of this machine we've only changed one line of one file 
> otherwise it's a stock install.

Frankly, you don't have enough expertise to tell what was done to back
out safely or you wouldn't have asked the question.  Your only
reasonable option is to re-install.  I would not attempt anything other
than a fresh install.  There is no one on this list that can tell you
what to do except to reinstall unless they have physical handson access
to your system for an extended period of time.

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program

More information about the redhat-list mailing list