does anyone know how someone could execute 'useradd' without being logged into the server?
Posted on 2005-03-09
RedHat 9 - kernel: Linux version 2.4.20-8 (firstname.lastname@example.org) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5))
SSH-1.99-OpenSSH_3.5p13.0.1 on i686-pc-linux-gnu
when i logged in, i got this message:
Last login: Wed Dec 31 1969 19:00:00 -0500
after doing some searching of logs:
Mar 8 14:02:51 <server> useradd: new user: name=tcp, uid=0, gid=0, home=/dev/ , shell=/bin/bash
Mar 8 14:02:58 <server> sshd: Bad protocol version identification 'ÿôÿý^Fÿôÿý^Fÿôÿý^F' from 184.108.40.206
Mar 8 14:03:16 <server> sshd: Accepted password for tcp from 220.127.116.11 port 840 ssh2
Mar 8 14:15:47 <server> userdel: delete user `tcp'
Mar 8 14:03:18 <server> sshd(pam_unix): session opened for user tcp by (uid=0)
Mar 8 14:14:45 <server> : Listener created on port 22.
Mar 8 14:14:45 <server> : Daemon is running.
Mar 8 14:15:04 <server> sshd(pam_unix): session closed for user tcp
does anyone know how someone could execute 'useradd' without being logged in to the server?
now i noticed with netstat that something was listening on port 3303, which is not normal, when i connected i got this message:
:Welcome!psyBNC@lam3rz.de NOTICE * :psyBNC2.3.1
Login failed. Disconnecting.
after rebooting the server, and changing all critical passwords, and locking down the firewall extra-tight things seem back to normal. But I still cannot find where that program was residing, and I would like to make sure I've got the server clean without having to do a reinstall...any thoughts, ideas, suggestions?