Solved

Unauthorised login ?

Posted on 2011-03-17
3
336 Views
Last Modified: 2013-11-15
Hi

On my ubuntu machine there are a couple of enteries here in the /var/log/auth.log file that show access to my server but no IP address (0.0)

And at the same time a new user account was created on the machine.
useradd -u 0 -o -g 0 dev
dev:x:0:0::/home/dev:/bin/sh
(I'm guessing this is a superuser account as it's in the same group as root)

root     pts/1        :0.0             Fri Mar 18 05:43 - 05:43  (00:00)
root     pts/0        :0.0             Fri Mar 18 05:30 - 05:58  (00:28)
root     pts/0        inters24.lnk.tel Thu Mar 17 09:19 - 09:53  (00:34)
root     pts/0        inters24.lnk.tel Wed Mar 16 13:31 - 13:34  (00:03)
root     pts/0        inters24.lnk.tel Wed Mar 16 12:24 - 12:26  (00:02)

Does this mean my machine was hacked and it's time to change passwords and delete this user
Would userdel -r -f dev remove this account without affecting my root account
0
Comment
Question by:Cobraiti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
TobiasHolm earned 500 total points
ID: 35162974
I'd change root password if I were you! Also delete the 'dev' user.

Have you installed any new stuff recently on your machine? If you did that might be the reason for the new user, but I think it looks like your machine are hacked! Great you spotted it!

And as always, check that your backups are up'n running so that you can restore them (just in case some important files have been altered).


Regards, Tobias
0
 

Author Comment

by:Cobraiti
ID: 35177763
Hi and thanks

root@is-wb02:~# userdel dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev.
userdel: user dev. is currently logged in
root@is-wb02:~# userdel -r dev
userdel: user dev is currently logged in
root@is-wb02:~# deluser dev.
WARNING: You are just about to delete the root account (uid 0)
Usually this is never required as it may render the whole system unusable
If you really want this, call deluser with parameter --force
Stopping now without having performed any action
root@is-wb02:~#

Can I delete this user without causing any damage ?

0
 
LVL 18

Expert Comment

by:TobiasHolm
ID: 35178366
Looks like the root user is renamed to dev. Do you still have a root user? Which PID does it have?

If you don't have a root user, rename the dev user to root and change the password (to some loooong password ;)

Regards, Tobias
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question