[root@nothing /root]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
nscd:x:28:28:NSCD Daemon:/:/bin/false
mailnull:x:47:47::/var/spool/mqueue:/dev/null
ident:x:98:98:pident user:/:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
Admin:x:500:500:Administrator:/home/Admin:/bin/bash
squid:x:23:23::/var/spool/squid:/dev/null
The fact that the only non-root, non-system user on the system is named Admin, and not
jason reinforces my suspicion that your attacker knows you. Unless perhaps your hostname is jason or
some form of jason, this guy/gal knows who you are!
/etc/passwd looks to be clean at first glance, I don't see anything out of the ordinary in here. But
please, someone else check this over for something I may have missed.
I would bet that your attacker used some variant of the `SSH CRC32' attack which is a buffer overflow
exploit for vulnerable versions of ssh (which RedHat and others are known to have packaged with their
systems unknowingly). An excellent paper on this attack can be found at http://www.ciac.org/ciac/techbull/CIACTech02-001.shtml .
You had a question about how your attacker changed the ssh login banner. Generally speaking, the file
is /etc/issue.net, but you can check which one your system is using, or even change it by looking in
/etc/ssh/shd_config. The option that controls that login message is.....
Banner /path/to/the/banner
Hope this helped.
