?
Solved

Unauthorised login ?

Posted on 2011-03-17
3
Medium Priority
?
337 Views
Last Modified: 2013-11-15
Hi

On my ubuntu machine there are a couple of enteries here in the /var/log/auth.log file that show access to my server but no IP address (0.0)

And at the same time a new user account was created on the machine.
useradd -u 0 -o -g 0 dev
dev:x:0:0::/home/dev:/bin/sh
(I'm guessing this is a superuser account as it's in the same group as root)

root     pts/1        :0.0             Fri Mar 18 05:43 - 05:43  (00:00)
root     pts/0        :0.0             Fri Mar 18 05:30 - 05:58  (00:28)
root     pts/0        inters24.lnk.tel Thu Mar 17 09:19 - 09:53  (00:34)
root     pts/0        inters24.lnk.tel Wed Mar 16 13:31 - 13:34  (00:03)
root     pts/0        inters24.lnk.tel Wed Mar 16 12:24 - 12:26  (00:02)

Does this mean my machine was hacked and it's time to change passwords and delete this user
Would userdel -r -f dev remove this account without affecting my root account
0
Comment
Question by:Cobraiti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
TobiasHolm earned 2000 total points
ID: 35162974
I'd change root password if I were you! Also delete the 'dev' user.

Have you installed any new stuff recently on your machine? If you did that might be the reason for the new user, but I think it looks like your machine are hacked! Great you spotted it!

And as always, check that your backups are up'n running so that you can restore them (just in case some important files have been altered).


Regards, Tobias
0
 

Author Comment

by:Cobraiti
ID: 35177763
Hi and thanks

root@is-wb02:~# userdel dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev
userdel: user dev is currently logged in
root@is-wb02:~# deluser dev.
WARNING: You are just about to delete the root account (uid 0)
Usually this is never required as it may render the whole system unusable
If you really want this, call deluser with parameter --force
Stopping now without having performed any action
root@is-wb02:~#

Can I delete this user without causing any damage ?

0
 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35178366
Looks like the root user is renamed to dev. Do you still have a root user? Which PID does it have?

If you don't have a root user, rename the dev user to root and change the password (to some loooong password ;)

Regards, Tobias
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users are often faced with high disk consumption without really knowing where the largest amount of data resides. Disk Usage Analyzer (aka Baobab) is is a graphical, menu-driven application to analyse disk usage in any Gnome environment and can e…
Are you sitting there reading this and wondering how to get started with Linux? It almost seems like picking the right Linux distribution is about like picking the right college or buying a new car if you read some of the article out there. Relax… l…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question