Auth.log understand it

Question

I have an ubuntu server and I want to understand if someone enter into it (hacker). I have seen into auth.log many lines like this:

May 30 10:36:00 xxx-System-Product_Name CRON[2758]: pam_unix(cron:session): session opened for user admin by (uid=0)
May 30 10:36:00 xxx-System-Product_Name CRON[2758]: pam_unix(cron:session): session closed for user admin
May 30 10:37:00 xxx-System-Product_Name CRON[2759]: pam_unix(cron:session): session opened for user admin by (uid=0)
May 30 10:37:00 xxx-System-Product_Name CRON[2759]: pam_unix(cron:session): session closed for user admin

My user is 'alessandro' and not admin someone is entered with user 'admin' ?

Can someone help me?

print me: * * * * * /var/tmp/.kitten/.update >/dev/null 2>&1 @NickW — Alessandro Minoccheri, May 30 '13 at 08:50
empty /dev/null and /var/tmp/.kitten I can't find this @NickW — Alessandro Minoccheri, May 30 '13 at 08:55
So if you do a sudo ls -la /var/tmp/ you do not see anything? — NickW, May 30 '13 at 08:56
/dev/null is empty always, it's like a hole to throw things down, un buco nero dove non torna indietro niente.. — NickW, May 30 '13 at 08:57
An italian description of /dev/null is like pure poetry. +1. — Tom O'Connor, May 30 '13 at 09:07
Maybe there was something, it's not a comforting thought honestly.. nobody else should have access to this server, correct? Even the .ssh in /var/tmp is odd. — NickW, May 30 '13 at 09:30
nobody have access I'm only that have all password, but I don't know if someone can enter. in .ssh there are other folder and files — Alessandro Minoccheri, May 30 '13 at 09:37
If you can't be sure who might have created that user and those files, you might want to look through this.. and make your own decision: http://serverfault.com/questions/6190/reinstall-after-a-root-compromise — NickW, May 30 '13 at 10:13

score 4 · Answer 1 · answered May 30 '13 at 15:07

4

Your comments reveal files and directory structures which are commonly seen with rootkits. So it's a very high probability that your server has been compromised and taken over. You should begin remediation as soon as possible.

answered May 30 '13 at 15:07

Michael Hampton

247,473

Ok understand, I can't reinstall all can I do something like change permission to this file, deny ssh access? – Alessandro Minoccheri May 30 '13 at 15:10
As you don't know how they got in, it's going to be difficult to understand what they changed, and above all, prevent them from doing it again. I'd advise you to set up plans to create a new server as soon as possible. By all means, block ssh access, but it's not a solution, just a small plaster on a big wound. – NickW May 30 '13 at 16:09
@AlessandroMinoccheri See the duplicate question yours now points to - the general advice is to reinstall the whole machine (because you don't know how they got in). I'm not sure what /var/tmp/.kitten/.update contains (you can look at the file with cat /var/tmp/.kitten/.update to see if you recognize its contents), but the directory structure is definitely suspect -- normally crontabs don't point at things in temporary directories... – voretaq7 May 30 '13 at 16:39

Auth.log understand it

1 Answers1