VPS Hacked; user "daemon" assigned password and root access

What I originally thought was a VPS problem turned out to be a hacked system. From auth.log I see somebody on Monday changed the password for "daemon", changed its shell to bash and added daemon to the root group and then "su -" to root. Tuesday daemon logged in again, and a few minutes later my VPS went down.

The Monday activity (giving daemon login and root access) took a couple of minutes, so it was probably an interactive action rather than a script. But I don't see where there is a session open where the hacker made the changes.

I am surprised to see that I had SSH protocol 1 enabled in sshd_config. I also have "UsePAM yes" in there. I haven't updated in a while, but I was unaware of any OpenSSH vulnerabilities, and I'm running "OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004" which as far as I can tell has no PAM or protocol vulnerabilities. Am I wrong here?

This is Debian 3.1, and other than OpenSSH I had UW imapd running (SSL-only, with digest passwords) and Apache with Drupal, Mambo and Squirrelmail php web apps. My passwords weren't real strong, but my root had uppercase, lowercase, numbers and a symbol. A user account had mixed case and numbers. (Kernel: 2.4.20-021stab028.18.777-smp)

I'd like to have a better idea of how I got hacked so I can avoid it after wiping out and reinstalling. Does anyone recognize this hack and have an idea of how they were able to change the password and shell for "daemon"?

Thanks!

An exceprt from the auth.log. The part between the periods (.....) are entries that I think are not related to the hack, but there have been similar scripted logon attempts (and failures) in the past few days. I can't find evidence of a shell/session being open before the password change, so I don't know how they got in.

Code: 
Feb  6 16:46:16 sharkbait passwd[23921]: (pam_unix) password changed for daemon
Feb  6 16:46:16 sharkbait passwd[23921]: (pam_unix) Password for daemon was changed
Feb  6 16:46:27 sharkbait chsh[23923]: changed user `daemon' shell to `/bin/bash'
Feb  6 16:48:19 sharkbait su[24086]: + ??? root:daemon
Feb  6 16:48:19 sharkbait su[24086]: (pam_unix) session opened for user daemon by (uid=0)
Feb  6 16:48:29 sharkbait sudo:   daemon : TTY=unknown ; PWD=/usr/sbin ; USER=root ; COMMAND=/bin/su -
Feb  6 16:48:29 sharkbait su[24093]: + ??? root:root
Feb  6 16:48:29 sharkbait su[24093]: (pam_unix) session opened for user root by (uid=0)
(..............................)
Feb  6 20:32:13 sharkbait sshd[31013]: Illegal user operator from 172.172.0.4
Feb  6 20:32:19 sharkbait sshd[31020]: (pam_unix) check pass; user unknown
Feb  6 20:32:19 sharkbait sshd[31020]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acac0004.
Feb  6 20:32:21 sharkbait sshd[31013]: error: PAM: User not known to the underlying authentication module for illegal user ope
Feb  6 20:32:21 sharkbait sshd[31013]: Failed keyboard-interactive/pam for illegal user operator from 172.172.0.4 port 4072 ss
Feb  6 20:32:38 sharkbait sshd[31072]: Illegal user operator from 172.172.0.4
Feb  6 20:32:42 sharkbait sshd[31076]: (pam_unix) check pass; user unknown
Feb  6 20:32:42 sharkbait sshd[31076]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acac0004.
Feb  6 20:32:44 sharkbait sshd[31072]: error: PAM: User not known to the underlying authentication module for illegal user ope
Feb  6 20:32:44 sharkbait sshd[31072]: Failed keyboard-interactive/pam for illegal user operator from 172.172.0.4 port 4075 ss
Feb  7 05:57:47 sharkbait sshd[15009]: Did not receive identification string from 202.46.4.77
Feb  7 07:34:28 sharkbait sshd[2230]: Did not receive identification string from 60.248.73.6
Feb  7 07:34:28 sharkbait sshd[2316]: Did not receive identification string from 60.248.73.6
Feb  7 10:18:48 sharkbait sshd[25048]: Did not receive identification string from 203.131.72.116
Feb  7 10:18:48 sharkbait sshd[25050]: Did not receive identification string from 203.131.72.116
(.......................................)
Feb  7 14:16:35 sharkbait sshd[24722]: Illegal user operator from 172.182.219.49
Feb  7 14:16:39 sharkbait sshd[24882]: (pam_unix) check pass; user unknown
Feb  7 14:16:39 sharkbait sshd[24882]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acb6db31.
Feb  7 14:16:41 sharkbait sshd[24722]: error: PAM: User not known to the underlying authentication module for illegal user ope
Feb  7 14:16:41 sharkbait sshd[24722]: Failed keyboard-interactive/pam for illegal user operator from 172.182.219.49 port 2275
Feb  7 14:23:00 sharkbait sshd[26263]: Accepted keyboard-interactive/pam for daemon from 172.182.219.49 port 2305 ssh2
Feb  7 14:23:00 sharkbait sshd[26268]: (pam_unix) session opened for user daemon by (uid=0)
Feb  7 14:23:06 sharkbait sudo:   daemon : TTY=pts/0 ; PWD=/usr/sbin ; USER=root ; COMMAND=/bin/su -
Feb  7 14:23:06 sharkbait su[26347]: + pts/0 root:root
Feb  7 14:23:06 sharkbait su[26347]: (pam_unix) session opened for user root by daemon(uid=0)
(EDIT: The VPS is in "repair mode" now. I assume my system is rootkitted and otherwise nastified.)

 

 

 

 

Top