Solved

Unauthorised login ?

Posted on 2011-03-17
3
335 Views
Last Modified: 2013-11-15
Hi

On my ubuntu machine there are a couple of enteries here in the /var/log/auth.log file that show access to my server but no IP address (0.0)

And at the same time a new user account was created on the machine.
useradd -u 0 -o -g 0 dev
dev:x:0:0::/home/dev:/bin/sh
(I'm guessing this is a superuser account as it's in the same group as root)

root     pts/1        :0.0             Fri Mar 18 05:43 - 05:43  (00:00)
root     pts/0        :0.0             Fri Mar 18 05:30 - 05:58  (00:28)
root     pts/0        inters24.lnk.tel Thu Mar 17 09:19 - 09:53  (00:34)
root     pts/0        inters24.lnk.tel Wed Mar 16 13:31 - 13:34  (00:03)
root     pts/0        inters24.lnk.tel Wed Mar 16 12:24 - 12:26  (00:02)

Does this mean my machine was hacked and it's time to change passwords and delete this user
Would userdel -r -f dev remove this account without affecting my root account
0
Comment
Question by:Cobraiti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
TobiasHolm earned 500 total points
ID: 35162974
I'd change root password if I were you! Also delete the 'dev' user.

Have you installed any new stuff recently on your machine? If you did that might be the reason for the new user, but I think it looks like your machine are hacked! Great you spotted it!

And as always, check that your backups are up'n running so that you can restore them (just in case some important files have been altered).


Regards, Tobias
0
 

Author Comment

by:Cobraiti
ID: 35177763
Hi and thanks

root@is-wb02:~# userdel dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev
userdel: user dev is currently logged in
root@is-wb02:~# deluser dev.
WARNING: You are just about to delete the root account (uid 0)
Usually this is never required as it may render the whole system unusable
If you really want this, call deluser with parameter --force
Stopping now without having performed any action
root@is-wb02:~#

Can I delete this user without causing any damage ?

0
 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35178366
Looks like the root user is renamed to dev. Do you still have a root user? Which PID does it have?

If you don't have a root user, rename the dev user to root and change the password (to some loooong password ;)

Regards, Tobias
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux : when to add the entries in /etc/hosts file 22 105
Mysql Crashing Intermittently 16 130
liboauth-php x oauth-1.2.3 3 121
I NEED A "BARE" LINUX ... 9 116
Users are often faced with high disk consumption without really knowing where the largest amount of data resides. Disk Usage Analyzer (aka Baobab) is is a graphical, menu-driven application to analyse disk usage in any Gnome environment and can e…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

742 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question