Hello guys,

Yesterday something very weird happened. I received an email like this:

Subject: *** SECURITY information for mydomain.com ***
Body: mydomain.com : Feb 27 18:27:09 : phl : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/phl ; USER=root ; COMMAND=/bin/su

"mydomain.com" is purely representation of my domain, of course.

After that I found out that my PuTTy window that was open was shutdown and when I tried to login back... my password didn't work. In desperation I shutdown my server and went home. Today I restarted it and changed my root password via Linode Control Panel... but now I am afraid it will happen again. Anyone know what can cause this? What can I do to prevent this kind of attack (if that's correct)?

Just now I received another email:

Subject: Cron <root@ouro> [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete (failed)
Body: find: invalid predicate `-delete'

I logged in ssh again and typed crontab -l and nothing is listed for root... how can I see this cronjob? I never used cronjob... so I'm 99% sure I was hacked and that he started a (badly typed) cronjob... could somebody help me before I have a heart attack?

Thanks in advance!

I don't know about the first one, but the second one should more or less benign.

For comparison, this is in my /etc/cron.d/php5

# /etc/cron.d/php5: crontab fragment for php5
#  This purges session files older than X, where X is defined in seconds
#  as the largest value of session.gc_maxlifetime from all your php.ini
#  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime

# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete

Is your username 'phl'? Do you have a user 'phl'? If not, then you probably have a Problem.

The cron job itself is normal (it's what keeps your system from being overrun with PHP sessions), but the fact that it failed in that way makes me think that /usr/lib/php5/maxlifetime, when executed, returned an invalid number. That may or may not be related.

_________________

/* TODO: need to add signature to posts */

No I didn't set up any user with that name. My users are all full names, like david or santana. "phl" means nothing to me.

Well, I am receiving this email from cronjob all day. More than 20 emails already arrived. So... I started pulling a solution out. I'm acquiring a new linode and starting from scratch again then getting all my docs from this old one. The problem is going into ssh login because windows and putty is kinda painful to setup... but that will go in another topic.

Thanks for the help though.