1

I have an ubuntu server and I want to understand if someone enter into it (hacker). I have seen into auth.log many lines like this:

May 30 10:36:00 xxx-System-Product_Name CRON[2758]: pam_unix(cron:session): session opened for user admin by (uid=0)
May 30 10:36:00 xxx-System-Product_Name CRON[2758]: pam_unix(cron:session): session closed for user admin
May 30 10:37:00 xxx-System-Product_Name CRON[2759]: pam_unix(cron:session): session opened for user admin by (uid=0)
May 30 10:37:00 xxx-System-Product_Name CRON[2759]: pam_unix(cron:session): session closed for user admin

My user is 'alessandro' and not admin someone is entered with user 'admin' ?

Can someone help me?

Alessandro Minoccheri
  • 185
  • 1
  • 5
  • 16

1 Answers1

4

Your comments reveal files and directory structures which are commonly seen with rootkits. So it's a very high probability that your server has been compromised and taken over. You should begin remediation as soon as possible.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Ok understand, I can't reinstall all can I do something like change permission to this file, deny ssh access? – Alessandro Minoccheri May 30 '13 at 15:10
  • As you don't know how they got in, it's going to be difficult to understand what they changed, and above all, prevent them from doing it again. I'd advise you to set up plans to create a new server as soon as possible. By all means, block ssh access, but it's not a solution, just a small plaster on a big wound. – NickW May 30 '13 at 16:09
  • @AlessandroMinoccheri See the duplicate question yours now points to - the general advice is to reinstall the whole machine (because you don't know how they got in). I'm not sure what `/var/tmp/.kitten/.update` contains (you can look at the file with `cat /var/tmp/.kitten/.update` to see if you recognize its contents), but the directory structure is definitely suspect -- normally crontabs don't point at things in temporary directories... – voretaq7 May 30 '13 at 16:39