Under attack - HELP!
The first time they changed the root password (10 characters long) than created a new user (I've been able to modify the rooot password thanx to webmin, now the root password is 30 char long), the second time they changed the 15-char-long password of an existing user, then they created theyr own user. This is what I found in the log:
First attack:
Mar 23 07:11:31 s1 PAM_pwdb[21736]: password for (root/0) changed by ((null)/0)
Mar 23 07:13:19 s1 login[21739]: ROOT LOGIN on `pts/3' from `164.77.67.47'
Mar 23 07:13:39 s1 inetd[507]: pid 21708: exit status 1
Mar 23 07:16:03 s1 useradd[21764]: new group: name=spider, gid=10009
Mar 23 07:16:03 s1 useradd[21764]: new user: name=spider, uid=10009, gid=10009, home=/home/spider, shell=/bin/bash
Mar 23 07:16:24 s1 PAM_pwdb[21765]: password for (spider/10009) changed by (root/0)
Mar 23 07:32:01 s1 inetd[507]: pid 21795: exit status 1
Mar 23 07:33:33 s1 PAM_pwdb[21798]: password for (root/0) changed by ((null)/0)
Mar 23 07:36:15 s1 PAM_pwdb[21809]: get passwd; pwdb: request not recognized
Mar 23 07:36:34 s1 PAM_pwdb[21810]: (ftp) session opened for user spider by (uid=0)
Mar 23 07:41:03 s1 inetd[507]: pid 21738: exit status 1
Mar 23 07:44:28 s1 PAM_pwdb[21810]: (ftp) session closed for user spider
Mar 23 07:47:32 s1 PAM_pwdb[21841]: password for (root/0) changed by ((null)/0)
mar 23 07:48:51 s1 PAM_pwdb[21867]: authentication failure; spider(uid=10009) -> root for su service
Mar 23 07:52:30 s1 PAM_pwdb[21877]: (ftp) session opened for user spider by (uid=0)
Mar 23 07:59:55 s1 modprobe: modprobe: Can't locate module net-pf-10
Mar 23 08:04:11 s1 fingerd[22086]: Client hung up - probable port-scan
Second attack:
Mar 25 21:58:33 s1 PAM_pwdb[801]: password for (pippo/500) changed by ((null)/0)
Any idea of what happened and how I can stop them?
Thanks a lot!
Ricky
