Unless every user account on that machine has a strong password, you have effectively negated any gains you have made by setting up public key authentication.
Printable View
In reading over the responses, I guess my system was not hacked in to.
As puptentacle (and others) pointed out, it does seem odd that someone would copy a folder to another drive, then delete the original.
I do know that I installed HH (8.04) on the 6th or 7th of last week.
Would the installation process have moved data from /home on the second drive to /home on the primary drive? My guess is that it would not.
I only had 5 user folders. /mnt/oldhd is the path to get to the second hard drive. As an example:
/mnt/oldhd/home/bob
/mnt/oldhd/home/jane
/mnt/oldhd/home/carol
/mnt/oldhd/home/john
/mnt/oldhd/home/jim
../home/bob had 50 MB of files and all of the others were empty (with the excpetion of the hidden . files)
I found that /bob had been moved to /home/shawn (my folder) and there was nothing in /mnt/oldhd.
It's possbile I could have backed up bob's folder under my folder, but I don't remember ever doing that - although I've lost a few brain cells over the last few months ;).
daengbo: What is an "IDS"?
Thanks,
-Shawn
This is a very interesting post, as I've just had a related incident on one of my machines. Here is a snip of the auth.log file. It appears that someone was conducting a brute force login attack, and then bingo, they were able to login using the user id "guest". This was the original account that I created when doing a fresh install of 8.04. I created a password for sure for this account although perhaps it wasn't a very high quality password. But it seems to me that the attacker guessed my password on the first try, which seems doubtful. The thing that scares me is that I'm wondering if samba is using the same id (guest) for access.
Once the attacker logged in it appears that he/she tried to run a root kit but there is no evidence that this was successful.
Any comments would be much appreciated.
Thanks,
Terry
May 4 19:07:42 crow sshd[24606]: Invalid user admin from 221.141.2.233
May 4 19:07:42 crow sshd[24606]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 4 19:07:42 crow sshd[24606]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 4 19:07:42 crow sshd[24606]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 4 19:07:42 crow sshd[24606]: pam_unix(sshd:auth): check pass; user unknown
May 4 19:07:42 crow sshd[24606]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.141.2.233
May 4 19:07:44 crow sshd[24606]: Failed password for invalid user admin from 221.141.2.233 port 42152 ssh2
May 4 19:07:51 crow sshd[24608]: Invalid user test from 221.141.2.233
May 4 19:07:51 crow sshd[24608]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 4 19:07:51 crow sshd[24608]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 4 19:07:51 crow sshd[24608]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 4 19:07:51 crow sshd[24608]: pam_unix(sshd:auth): check pass; user unknown
May 4 19:07:51 crow sshd[24608]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.141.2.233
May 4 19:07:52 crow sshd[24608]: Failed password for invalid user test from 221.141.2.233 port 42631 ssh2
May 4 19:07:59 crow sshd[24611]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 4 19:07:59 crow sshd[24611]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 4 19:07:59 crow sshd[24611]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 4 19:07:59 crow sshd[24611]: Accepted password for guest from 221.141.2.233 port 43084 ssh2
May 4 19:07:59 crow sshd[24613]: pam_unix(sshd:session): session opened for user guest by (uid=0)
May 4 19:08:03 crow sshd[24613]: pam_unix(sshd:session): session closed for user guest
Yeh. He tried some passwords but they all failed. Make sure you use quite a strong password. And make sure any web services dont have permissions for /etc/shadow
and use deny host or fail2ban
One thing I forgot to ask in my previous post:
What is "polkituser" and why does it have a group id?
I found some info concerning "polkit" ("policy kit"), but nothing about "polkituser".
I deleted user and group "polkituser" from my system.
-Shawn
im actually allowing ssh from 2 users, both are strong passwored.
the rsa idea is just because i hate to type passwords all the time :D
it wasnt set for security measures. but i get your point, and my post was actually misleading into thinking i was being running a more secure box.
All,
I just thought I'd give an update.
In my ealier post I said that all of the /home folders under /mnt/oldhd/ was gone.
The reason: I had a drive failure. The hard drive died.
Not being able to get to /home coupled with auth.log entries that I didn't fully understand made me think my system was hacked.
Thanks to everyone for their help.
-Shawn