I've been fighting with a hacker in my Web Server for the past couple days. I thought I had Public Key auth setup for SSH, but it apparently wasn't configured on that server, so he was spamming ssh logins. He didn't get root, and I'm not sure how they got in at all, but he managed to start sending out attacks from my server. When I found out what was happening, I immediately brought down the external NIC and configured Public Key authentication for SSH, and to not accept passwords at all. It was peaceful for a few days, but then the server went down yesterday. I could ping it, but couldn't ssh in. I restarted the server and pulled up the logs. I found that the first time he had created and then removed users and groups named temp and crond. I believe it was the hacker anyway...after the second time it occurred to me that home directories were created when those users were added, so I just went in and deleted the home folders (I should have looked at the .bash_history at least before doing that, oh well)
So, somehow he managed to restart my sshd and then could start spamming ssh again, this time the log files were saying "Illegal user ... From". Anyway, I just want this guy to stay out. How can I find out how he is getting in?
My /var/log/secure file is empty, but my secure.1 file has stuff in it, that's where I saw the user creations and deletions. Why might the secure file be empty? Any help is greatly appreciated. Thanks!