Re: Ive been hacked - they got root!

[MKlinke <mklinke axsi com>]

On Friday 02 January 2004 13:00, Jeff wrote:
> Quick thought...
>
> I just noticed that my user account has also been used a number of
> times from the same IP but I have been off work for 2 weeks. If
> someone was hacking then they wouldnt log in via both a user and
> root account on the same day, from the same IP - seems daft.
>
> The box had to be rebooted yesterday (power cut). Could these
> reports in logwatch be ghost ssh sessions from when ssh sessions
> hadnt been closed correctly (usually my shitty windows box
> crashing). i.e. when the box rebooted, the stale sessions were
> cleared down and only now showing up in the logs?
>
> I hope someone can shed a bit of light on this one.
>
> Jeff
>
> On Fri, 2004-01-02 at 18:34, Jeff wrote:
> > Peeps
> >
> > Just had a look at yesterdays logwatch mail and noticed that
> > someone has logged in as root via ssh 6 times from the IP address
> > of the place I work. I don't think it's been done maliciously,
> > more of a 'look what i did <laugh, laugh>'. I have looked at
> > /var/log/secure and there's no evidence in there about it so it
> > looks like theyve covered their tracks.
> >
> > Does anyone know how I can find out what they did and how to
> > prevent stuff like this happening again (yes - Ive already
> > changed the password). Ive already looked at the bash history
> > file with no luck
> >
> > Thanks
> >
> > A slightly worried Jeff

There should also be entries in /var/log/messages for ssh logins.  As 
to whether you might see entries for both root and your user account 
it may depend on how he broke in.  If someone found he had access to 
your user account he could have logged in and then used the shell 
access to break in via root.  

Regards,  Mike Klinke