Well there was users called backup and operator. Im not sure if they were created by computer. But I think they werent there.
Printable View
Well there was users called backup and operator. Im not sure if they were created by computer. But I think they werent there.
operator is a usual account (at least on the *nixes I've seen) but I haven't seen backup. That could be a new one or a default one. What is the UID/GID for it?
If they are those numbers just after the name the are:34/34
That's most likely a default account then.. You still need to look for hidden files and you should probably check the history files for other users (not just root). Might show you some info that would indicate how he got in. Remember to write everything down that you do so you aren't repeating steps and so that you have a record of what has happened.
Ok. Is there any "usual" places they put their hidden folders?
Nope. :D
It's a hide-n-seek thing. Never assume that things are put in "usual" places. When machine is compromised, anything is possible. You do need to do some work however to find out what they did (given that some of the logs are gone).
Ahh.. great :mad: One thing is for sure, I will keep my comp updated. Would it be possible to get the lost logs back? Where I could find that kind of program?
Can be hard but a forensics program like FAUST or The Coroners Toolkit (aka TCT). Might also want to do some google searches on undeleting with ext2 (there is a howto on this). Check also Securityfocus.com for more file recovery applications.
Ok, thx. TCT is now running. Readme says it takes hours to finish that prog. So I´ll come back here when I got some more new info. Thx a LOT guys for ur help so far!!!
<Lorvija>
Ignore me if I'm wrong, but MsMittens mentioned checking your passwd file for weird logins..., that is good, but I'm wondering if there are any normal logins that suddenly got passwords.
I'm a vi-junky, so I only know vipw, but on the systems I've used you get * for accounts without password hashes and really long seemingly non-sensical alpha-numeric strings for accounts with passwords. If operator and backup have *, that's cool, if they suddenly became actual logins, then that could be a problem. Also, on some systems accounts that can't login have their shells pointing to something not allowed in the shells file. (That sounds confusing to me..., sorry)
How do you login to the box? Locally via keyboard, or do you use telnet or ssh? telnet is bad, ssh not configured correctly is bad too.
Check your environment with "env" make sure that weird aliases haven't appeared that make it so you are running programs you didn't intend to.
I'm with MsMittens though, that machine is out-of-date. If you do reinstall, make sure that you know exactly what you install next-time. Some Linux installs scare the crap out of me with there desire to install as much as possible.
My knowledge resevoir has run dry, MsMittens and many other members here are much more experienced with these sorts of things, I'm just happy with my BSD box sitting quitely behind a firewall with all incoming connections denied.
Good luck,
Dhej