Unauthorised login ?
Posted on 2011-03-17
On my ubuntu machine there are a couple of enteries here in the /var/log/auth.log file that show access to my server but no IP address (0.0)
And at the same time a new user account was created on the machine.
useradd -u 0 -o -g 0 dev
(I'm guessing this is a superuser account as it's in the same group as root)
root pts/1 :0.0 Fri Mar 18 05:43 - 05:43 (00:00)
root pts/0 :0.0 Fri Mar 18 05:30 - 05:58 (00:28)
root pts/0 inters24.lnk.tel Thu Mar 17 09:19 - 09:53 (00:34)
root pts/0 inters24.lnk.tel Wed Mar 16 13:31 - 13:34 (00:03)
root pts/0 inters24.lnk.tel Wed Mar 16 12:24 - 12:26 (00:02)
Does this mean my machine was hacked and it's time to change passwords and delete this user
Would userdel -r -f dev remove this account without affecting my root account