Date:  Fri, 09 Mar 2007 15:47:48 +0100
From:  Jes Kasper Klittum <jes (at mark) enavn.com>
Subject:  [coba-e:09056] Re: CentOS+BQ hacked?
To:  coba-e (at mark) bluequartz.org
Message-Id:  <45F17394.2010705 (at mark) enavn.com>
In-Reply-To:  <1173445962.21005.15.camel (at mark) columbus.webtent.org>
References:  <1173445962.21005.15.camel (at mark) columbus.webtent.org>
X-Mail-Count: 09056

What does these commands show:

w
last
ps -auxww | grep pts

/Jes

Robert Fitzpatrick skrev:
> I could not login to a backup server this morning. I have not accessed
> it in while, after connecting via terminal, I see the following. I have
> never accessed this server from AOL, does this necessarily mean it was
> hacked. I restarted SSH fine and now can access normally, so far, not
> been able to find any other signs. Still shows them connected, how can I
> kick them and see what might be signs of a hack?
> 
> CentOS release 4.4 (Final)
> Kernel 2.6.16 on an i586
> 
> bq.ky.webtent.net login: root
> Password:
> login(pam_unix)[1754]: session opened for user root by LOGIN(uid=0)
> pam_loginuid[1754]: set_loginuid failed opening loginuid
> 
> Last login: Sun Feb 11 01:20:29 from aca25f24.ipt.aol.com
>  -- root[1754]: DIALUP AT ttyS0 BY root
>  -- root[1754]: ROOT LOGIN ON ttyS0
> [root@bq ~]# who
> root     ttyS0        Mar  9 08:08
> root     pts/0        Feb 11 01:20 (aca25f24.ipt.aol.com)
> 



	
9056_2.x-vcard (attatchment)(tag is disabled)