Solved

Unauthorised login ?

Posted on 2011-03-17
3
330 Views
Last Modified: 2013-11-15
Hi

On my ubuntu machine there are a couple of enteries here in the /var/log/auth.log file that show access to my server but no IP address (0.0)

And at the same time a new user account was created on the machine.
useradd -u 0 -o -g 0 dev
dev:x:0:0::/home/dev:/bin/sh
(I'm guessing this is a superuser account as it's in the same group as root)

root     pts/1        :0.0             Fri Mar 18 05:43 - 05:43  (00:00)
root     pts/0        :0.0             Fri Mar 18 05:30 - 05:58  (00:28)
root     pts/0        inters24.lnk.tel Thu Mar 17 09:19 - 09:53  (00:34)
root     pts/0        inters24.lnk.tel Wed Mar 16 13:31 - 13:34  (00:03)
root     pts/0        inters24.lnk.tel Wed Mar 16 12:24 - 12:26  (00:02)

Does this mean my machine was hacked and it's time to change passwords and delete this user
Would userdel -r -f dev remove this account without affecting my root account
0
Comment
Question by:Cobraiti
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
TobiasHolm earned 500 total points
ID: 35162974
I'd change root password if I were you! Also delete the 'dev' user.

Have you installed any new stuff recently on your machine? If you did that might be the reason for the new user, but I think it looks like your machine are hacked! Great you spotted it!

And as always, check that your backups are up'n running so that you can restore them (just in case some important files have been altered).


Regards, Tobias
0
 

Author Comment

by:Cobraiti
ID: 35177763
Hi and thanks

root@is-wb02:~# userdel dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev
userdel: user dev is currently logged in
root@is-wb02:~# deluser dev.
WARNING: You are just about to delete the root account (uid 0)
Usually this is never required as it may render the whole system unusable
If you really want this, call deluser with parameter --force
Stopping now without having performed any action
root@is-wb02:~#

Can I delete this user without causing any damage ?

0
 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35178366
Looks like the root user is renamed to dev. Do you still have a root user? Which PID does it have?

If you don't have a root user, rename the dev user to root and change the password (to some loooong password ;)

Regards, Tobias
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Edit file on Ubuntu as root 23 105
Linux patching 4 63
Which maximum version of Zabbix is supprted on CentOs 6. 7 340
Cannot add a NFS Server to Veeam as a repository 11 179
In order for businesses to be compliant with certain information security laws in some countries, you need to be able to prove that a user (which user it was becomes important to the business to take action against the user after an event has occurr…
1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now