Probable intrusion?

[lightouch]

Hello everyone, i'm new to this forum and to FreeBSD also. Yesterday i was logging on my brand new FreeBSD 8.2 server and the user wopr seem to never existed before. As you can see from the logs, the user and the related pubb-key worked untill Sep 16 22:56:01 after that time, i was no more able to log in.

argon# cat /var/log/auth.log | grep wopr
Sep 16 12:45:26 argon sshd[83700]: Accepted publickey for wopr from xx.xx.xx.xx port 53686 ssh2
Sep 16 12:45:32 argon su: wopr to root on /dev/pts/0
Sep 16 20:10:18 argon sshd[91901]: Accepted publickey for wopr from xx.xx.xx.xx port 62745 ssh2
Sep 16 20:10:23 argon su: wopr to root on /dev/pts/1
Sep 16 22:56:01 argon sshd[91901]: fatal: login_init_entry: Cannot find user "wopr"
Sep 17 19:41:16 argon sshd[35662]: Invalid user wopr from yy.yy.yy.yy
Sep 17 19:41:56 argon sshd[35662]: error: PAM: authentication error for illegal user wopr from yy.yy.yy.yy
Sep 17 19:41:56 argon sshd[35662]: Failed keyboard-interactive/pam for invalid user wopr from yy.yy.yy.yy port 50283 ssh2
Sep 17 19:43:06 argon sshd[35665]: Invalid user wopr from yy.yy.yy.yy
Sep 17 22:47:37 argon sshd[35976]: Invalid user wopr from xx.xx.xx.xx
Sep 17 22:47:59 argon sshd[35978]: Invalid user wopr from xx.xx.xx.xx
Sep 17 22:48:40 argon sshd[35980]: Invalid user wopr from xx.xx.xx.xx
Sep 17 22:49:31 argon sshd[35982]: Invalid user wopr from xx.xx.xx.xx

There is also no mysql user (if I didn't wrong):

argon# /usr/local/etc/rc.d/mysql-server start
Starting mysql.
su: unknown login: mysql
/usr/local/etc/rc.d/mysql-server: WARNING: failed to start mysql

Can someone help me please, to know if the server is compromised?

Thanks a lot!

PS: I searched on google, but i can't find something interesting about my problem

 

[DutchDaemon]

Sounds more like you nuked or damaged your /etc/passwd. If your /etc/master.passwd is still present and correct, you can run [cmd=]pwd_mkdb -p /etc/master.passwd[/cmd] to recreate it. Else check /var/backups for possible working copies. Note: the chance of fresh admins nuking their own files is considerably bigger than a break-in, especially when they do everything as the root user.

 

[shitson]

Have you run any commands that could have possibly wiped out something in /etc?

 

[lightouch]

I want to start saying thanks for reply and help me!

Sounds more like you nuked or damaged your /etc/passwd.

I know, it may sounds like it DutchDaemon, but as you can see i was no logged in during the fatal error: i just logged of while everything was working and tried to log in the day next without success:

Sep 16 22:56:01 argon sshd[91901]: fatal: login_init_entry: Cannot find user "wopr"

root             ttyv0                     Sat Sep 17 23:16 - shutdown  (00:05)
wopr             pts/1    192.168.5.3      Fri Sep 16 20:10 - shutdown (1+03:11)

And I didn't do anything... but, I've done a link: I had problems with mysql, with apache, and with a local user... could Joomla (working on this server) have some relation with it?

If your /etc/master.passwd is still present and correct, you can run pwd_mkdb -p /etc/master.passwd to recreate it. Else check /var/backups for possible working copies.

Both done, but no backups copies in /var/backups contains my user, also executing the command you suggested...

Note: the chance of fresh admins nuking their own files is considerably bigger than a break-in, especially when they do everything as the root user

Yes, it's generally true, but if i'm new to FreeBSD, i'm using Gentoo Hardened since 2005 for server and generally Linux from few years before: I don't want to look like arrogant, it's possible –right– i did some errors, but I never played with /etc/password

Have you run any commands that could have possibly wiped out something in /etc?

Uhm... no, especially because i wasn't logged in during fatal error. Are there places where I can look for?

Thanks!

 

[shitson]

depending on if your account data files are still intact... the .history file or .bash_history (command history)

 

[lightouch]

Uff... what the hell! I re-created wopr user and both mysql and apache daemon users copying the right value of /etc/password from /var/log/userlog, and now all works fine. But right now, i still didn't understood what caused the problem! It couldn't be a sheer coincidence that all the users related to joomla was deleted, included my local user!

Thanks a lot to anyone tried to help me!