Very Strange Problem - Have I been hacked ?
I'm running RH8 server with Apache, PHP, PHPNuke, MySQL, SSH, etc - it's publically facing.
Yesterday, I noticed that my system was down (networking not running) - So I rebooted - On startup I noticed lots of messages referring to a segmentation fault - I narrowed the fault down to 'grep' - everytime I run grep, I get the segmentation fault. I looked at the 'grep' file and compared it to another RH8 system I have here (private system) - The size of grep was different , I renamed the bad grep, copied the grep from the other system and ran it - worked fine. (Bad grep size = 120360, Good grep 116264)
However, after a while, the good grep changed size (for reasons I can't work out) to the same size as the bad grep. It also now does the segmentation fault thing.
I renamed and copied again - and the exact same thing happened.
Checked my logs and found this :
Apr 27 16:36:10 spr6 sshd: Failed password for x from 18.104.22.168 port 1171
Apr 27 16:36:16 spr6 sshd: Accepted password for x from 22.214.171.124 port 1171
Apr 27 16:58:54 spr6 sshd: Failed password for x from 126.96.36.199 port 1172
Apr 27 16:59:16 spr6 sshd: Accepted password for x from 188.8.131.52 port 1172
Apr 27 21:56:21 spr6 sshd: Did not receive identification string from 184.108.40.206
Apr 27 21:57:48 spr6 sshd: Did not receive identification string from 220.127.116.11
I didn't think that I had a user called 'x' on my system - checked on the other system and yep , no x
Here's the entry out of the /etc/passwd file
There also was another user created named 'zunja' but I deleted it before I knew what what going on, having though I may have created this one during my testing ages ago....
I don't get it - my root password is very strong, not in a dictionary, etc - maybe I wasnt' hacked ??
Can anyone shed any light on this ???
I don't want to rebuild the sytem and I would really like to find out what happened. I reckon that be getting grep working properly, it will be all good again....
BTW - the web server was just running anything very interesting....