Re: Security issue, damn I've been hacked
Richard Toohey schrieb: $ md5 /usr/sbin/ntpd MD5 (/usr/sbin/ntpd) = a0c8961d5818b438ecbfd6c40be47a5f $ cat /etc/passwd root:*:0:0:Charlie :/root:/bin/ksh daemon:*:1:1:The devil himself:/root:/sbin/nologin operator:*:2:5:System :/operator:/sbin/nologin Your system must have been hacked.. The /etc/passwd contains too few entries!
Re: Security issue, damn I've been hacked
Who said the french have no sense of humor? Thank you Jean-Francois for a healthy laugh in the morning! JB Jean-Francois schreef: Hi All, It looks like my server running since few days has already been hacked. It looks like a new user called 'daemon' ID 1 and a new group daemon. User's full name 'The devil itself' First time I find out evidence of hack on my server, however it's only one month running !! It looks like ntpd was the entry daemon connected to other than ntp site but I'm not sure. I am not sure at all about this, maybe one has changed the daemon. After I checked the adresses that this daemon connected to, they were very strange as webservers content (blogs, default page 'It works' and so one ... I guess ntp servers shall not act like this). Please find enclosed the ntpd server md5 print, one could check if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : a0c8961d5818b438ecbfd6c40be47a5f Thanks for your kind help. __ NOD32 3875 (20090220) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
Re: Security issue, damn I've been hacked
On 2009-02-20, Jean-Francois jfsimon1...@gmail.com wrote: I am not sure at all about this, maybe one has changed the daemon. After I checked the adresses that this daemon connected to, they were very strange as webservers content (blogs, default page 'It works' and so one ... I guess ntp servers shall not act like this). That sounds about right for pool.ntp.org servers.
Security issue, damn I've been hacked
Hi All, It looks like my server running since few days has already been hacked. It looks like a new user called 'daemon' ID 1 and a new group daemon. User's full name 'The devil itself' First time I find out evidence of hack on my server, however it's only one month running !! It looks like ntpd was the entry daemon connected to other than ntp site but I'm not sure. I am not sure at all about this, maybe one has changed the daemon. After I checked the adresses that this daemon connected to, they were very strange as webservers content (blogs, default page 'It works' and so one ... I guess ntp servers shall not act like this). Please find enclosed the ntpd server md5 print, one could check if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : a0c8961d5818b438ecbfd6c40be47a5f Thanks for your kind help.
Re: Security issue, damn I've been hacked
On 21 Feb 2009 at 0:46, Jean-Francois wrote: Hi All, It looks like my server running since few days has already been hacked. It looks like a new user called 'daemon' ID 1 and a new group daemon. User's full name 'The devil itself' First time I find out evidence of hack on my server, however it's only one month running !! It looks like ntpd was the entry daemon connected to other than ntp site but I'm not sure. I am not sure at all about this, maybe one has changed the daemon. After I checked the adresses that this daemon connected to, they were very strange as webservers content (blogs, default page 'It works' and so one ... I guess ntp servers shall not act like this). Please find enclosed the ntpd server md5 print, one could check if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : a0c8961d5818b438ecbfd6c40be47a5f Thanks for your kind help. Thank you for helping me finish an ardous week with a hearty laugh! ROTFL
Re: Security issue, damn I've been hacked
On 21/02/2009, at 12:46 PM, Jean-Francois wrote: Hi All, It looks like my server running since few days has already been hacked. It looks like a new user called 'daemon' ID 1 and a new group daemon. User's full name 'The devil itself' First time I find out evidence of hack on my server, however it's only one month running !! It looks like ntpd was the entry daemon connected to other than ntp site but I'm not sure. I am not sure at all about this, maybe one has changed the daemon. After I checked the adresses that this daemon connected to, they were very strange as webservers content (blogs, default page 'It works' and so one ... I guess ntp servers shall not act like this). Please find enclosed the ntpd server md5 print, one could check if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : a0c8961d5818b438ecbfd6c40be47a5f Thanks for your kind help. Ummm, not April 1st, so I'll bite. $ md5 /usr/sbin/ntpd MD5 (/usr/sbin/ntpd) = a0c8961d5818b438ecbfd6c40be47a5f $ cat /etc/passwd root:*:0:0:Charlie :/root:/bin/ksh daemon:*:1:1:The devil himself:/root:/sbin/nologin operator:*:2:5:System :/operator:/sbin/nologin
Re: Security issue, damn I've been hacked
Those are there by default. If the users shell is 'nologin' then you are chasing phantoms. Also, no, someone named 'Charlie' did not compromise root (well, most likely :-). -Bryan On Fri, Feb 20, 2009 at 3:46 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hi All, It looks like my server running since few days has already been hacked. It looks like a new user called 'daemon' ID 1 and a new group daemon. User's full name 'The devil itself' First time I find out evidence of hack on my server, however it's only one month running !! It looks like ntpd was the entry daemon connected to other than ntp site but I'm not sure. I am not sure at all about this, maybe one has changed the daemon. After I checked the adresses that this daemon connected to, they were very strange as webservers content (blogs, default page 'It works' and so one ... I guess ntp servers shall not act like this). Please find enclosed the ntpd server md5 print, one could check if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : a0c8961d5818b438ecbfd6c40be47a5f Thanks for your kind help.
Re: Security issue, damn I've been hacked
I didn't reply here for a long time, but this crack me :D You are the king :D Jean-Francois pisze: Hi All, It looks like my server running since few days has already been hacked. It looks like a new user called 'daemon' ID 1 and a new group daemon. User's full name 'The devil itself' First time I find out evidence of hack on my server, however it's only one month running !! It looks like ntpd was the entry daemon connected to other than ntp site but I'm not sure. I am not sure at all about this, maybe one has changed the daemon. After I checked the adresses that this daemon connected to, they were very strange as webservers content (blogs, default page 'It works' and so one ... I guess ntp servers shall not act like this). Please find enclosed the ntpd server md5 print, one could check if /usr/sbin/ntpd (OpenBSD 4.4) has the same print ? md5 print of ntpd daemon (/usr/sbin) on my OpenBSD 4.4 : a0c8961d5818b438ecbfd6c40be47a5f Thanks for your kind help.