Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unauthorised login ?

Posted on 2011-03-17
3
Medium Priority
?
339 Views
Last Modified: 2013-11-15
Hi

On my ubuntu machine there are a couple of enteries here in the /var/log/auth.log file that show access to my server but no IP address (0.0)

And at the same time a new user account was created on the machine.
useradd -u 0 -o -g 0 dev
dev:x:0:0::/home/dev:/bin/sh
(I'm guessing this is a superuser account as it's in the same group as root)

root     pts/1        :0.0             Fri Mar 18 05:43 - 05:43  (00:00)
root     pts/0        :0.0             Fri Mar 18 05:30 - 05:58  (00:28)
root     pts/0        inters24.lnk.tel Thu Mar 17 09:19 - 09:53  (00:34)
root     pts/0        inters24.lnk.tel Wed Mar 16 13:31 - 13:34  (00:03)
root     pts/0        inters24.lnk.tel Wed Mar 16 12:24 - 12:26  (00:02)

Does this mean my machine was hacked and it's time to change passwords and delete this user
Would userdel -r -f dev remove this account without affecting my root account
0
Comment
Question by:Cobraiti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
TobiasHolm earned 2000 total points
ID: 35162974
I'd change root password if I were you! Also delete the 'dev' user.

Have you installed any new stuff recently on your machine? If you did that might be the reason for the new user, but I think it looks like your machine are hacked! Great you spotted it!

And as always, check that your backups are up'n running so that you can restore them (just in case some important files have been altered).


Regards, Tobias
0
 

Author Comment

by:Cobraiti
ID: 35177763
Hi and thanks

root@is-wb02:~# userdel dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev
userdel: user dev is currently logged in
root@is-wb02:~# deluser dev.
WARNING: You are just about to delete the root account (uid 0)
Usually this is never required as it may render the whole system unusable
If you really want this, call deluser with parameter --force
Stopping now without having performed any action
root@is-wb02:~#

Can I delete this user without causing any damage ?

0
 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35178366
Looks like the root user is renamed to dev. Do you still have a root user? Which PID does it have?

If you don't have a root user, rename the dev user to root and change the password (to some loooong password ;)

Regards, Tobias
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating a Samba server for a small office. Ubuntu Linux and Samba can breathe new life into a retired PC and save an office money on new hardware/software. Our example server will have two hard disks, one exclusively for storing shared data. …
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question