My server crashed after "Failed password for invalid user john from ::ffff:XX.XX"

[guarriman]

Hi.

Using Fedora Core 2, my server crashed suddenly on Saturday. I noticed that all services
were stopped (I cann't access it via SSH), and I had to phone my datacener to restart it
manually.

This is my '/var/log/secure' at the moment of the failure:
-----------------
Oct 8 00:40:52 www sshd[12447]: error: Could not get shadow information for NOUSER
Oct 8 00:40:52 www sshd[12447]: Failed password for invalid user john from ::ffff:XX.XX.XX.XX port 36201 ssh2
Oct 8 00:40:52 www sshd[12449]: Failed password for root from ::ffff:XX.XX.XX.XX port 36204 ssh2
Oct 8 00:40:52 www sshd[12451]: Failed password for root from ::ffff:XX.XX.XX.XX port 36217 ssh2
Oct 8 00:40:52 www sshd[12453]: Failed password for root from ::ffff:XX.XX.XX.XX port 36224 ssh2
Oct 8 00:40:52 www sshd[12455]: Failed password for root from ::ffff:XX.XX.XX.XX port 36239 ssh2
Oct 8 00:40:53 www sshd[12457]: Failed password for root from ::ffff:XX.XX.XX.XX port 36243 ssh2
Oct 8 00:40:53 www sshd[12459]: Failed password for root from ::ffff:XX.XX.XX.XX port 36262 ssh2
Oct 8 00:40:53 www sshd[12461]: Invalid user test from ::ffff:XX.XX.XX.XX
Oct 8 00:40:53 www sshd[12461]: error: Could not get shadow information for NOUSER
Oct 8 00:40:53 www sshd[12461]: Failed password for invalid user test from ::ffff:XX.XX.XX.XX port 36268 ssh2
Oct 8 00:40:53 www sshd[12463]: Failed password for root from ::ffff:XX.XX.XX.XX port 36281 ssh2
Oct 8 00:40:54 www sshd[12465]: Failed password for root from ::ffff:XX.XX.XX.XX port 36299 ssh2
Oct 8 00:40:54 www sshd[12467]: Invalid user test from ::ffff:XX.XX.XX.XX
Oct 8 00:40:54 www sshd[12467]: error: Could not get shadow information for NOUSER
Oct 8 00:40:54 www sshd[12467]: Failed password for invalid user test from ::ffff:XX.XX.XX.XX port 36319 ssh2
(NO INFORMATION HERE)
Oct 8 09:37:25 www sshd[1897]: Server listening on :: port 22.
Oct 8 09:37:25 www sshd[1897]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Oct 8 09:37:48 www webmin[2314]: Webmin starting
Oct 8 09:41:15 www xinetd[2328]: START: pop3 pid=2707 from=YY.YY.YY.YY
Oct 8 09:41:21 www xinetd[2328]: EXIT: pop3 pid=2707 duration=6(sec)
Oct 8 09:46:16 www xinetd[2328]: START: pop3 pid=2807 from=YY.YY.YY.YY
Oct 8 09:46:21 www xinetd[2328]: EXIT: pop3 pid=2807 duration=5(sec)
Oct 8 09:51:16 www xinetd[2328]: START: pop3 pid=2853 from=YY.YY.YY.YY
Oct 8 09:51:17 www xinetd[2328]: EXIT: pop3 pid=2853 duration=1(sec)
----------------

Between the first and the second part of the logs, there are nearly 9 hours of non-information, and
the first one is within '/var/log/secure' and the second one within '/var/log/secure.1' (logrotate?).

'XX.XX.XX.XX' is an IP address trying to access my server and 'YY.YY.YY.YY' is my home IP address.

From my '/var/log/messages' (no split)
---------
Oct 8 06:50:01 www crond(pam_unix)[11219]: session opened for user mailman by (uid=0)
Oct 8 06:50:01 www crond(pam_unix)[11219]: session closed for user mailman
Oct 8 06:55:01 www crond(pam_unix)[11236]: session opened for user mailman by (uid=0)
Oct 8 06:55:01 www crond(pam_unix)[11236]: session closed for user mailman
Oct 9 09:37:23 www syslogd 1.4.1: restart.
Oct 9 09:37:23 www syslog: syslogd startup succeeded
Oct 9 09:37:23 www kernel: klogd 1.4.1, log source = /proc/kmsg started.
Oct 9 09:37:23 www kernel: Linux version 2.6.9-1.667 (bhcompile@tweety.build.redhat.com) (gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)) #1 Tue Nov 2 14:41:25 EST 2004
Oct 9 09:37:23 www kernel: BIOS-provided physical RAM map:
Oct 9 09:37:23 www kernel: BIOS-e820: 0000000000000000 - 00000000000a0000 (usable)
Oct 9 09:37:23 www kernel: BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
Oct 9 09:37:23 www kernel: BIOS-e820: 0000000000100000 - 000000001f7f0000 (usable)
Oct 9 09:37:23 www kernel: BIOS-e820: 000000001f7f0000 - 000000001f7f3000 (ACPI NVS)
Oct 9 09:37:23 www kernel: BIOS-e820: 000000001f7f3000 - 000000001f800000 (ACPI data)
Oct 9 09:37:23 www kernel: BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved)
----------------

In my 'last':
------------
root pts/0 YY.YY.YY.YY Mon Oct 8 09:52 - 13:52 (04:00)
reboot system boot 2.6.9-1.667 Sun Oct 8 09:37 (2+03:14)
root pts/0 YY.YY.YY.YY Fri Oct 7 16:13 - 18:03 (01:50)
--------------

I don't have any clue about what happened on Saturday. Any suggestion is appreciated.

[giulix]

I wouldn't trust the server any longer. Check for rootkits and, if at all possible, make a clean install. Also report the IP address of the possible intruder to her/his ISP (not that it changes anything, but tell them you had to reinstall and that next time you'll sue them for damages).