Linux secure log
I found that message in my /var/log/secure file:
Accepted password for user-name from ::ffff:xxx.xxx.xxx.xxx port 50445 ssh2
The user-name is one of the users in my computer, but I do not know where the IP is. Does that mean my computer is broken in by someone? and What does the 'ffff' mean?
I think this entry has still a timestamp. Try to remember have you used SSH this time somewhere. Also, you can try to find out DNS-infromation with command "dig" (use manpages), if logger haven't done it. I am not sure, but I think ffff is somehow related to IPv6.
Then you should check that everything is allright.
"netstat" tells where your computer is connected to, if there is any strange connections, you should plug your computer out.
Also look at to /etc/passwd and /etc/shadow and make sure there is no odd extra users (keep in mind many programs and daemons create their own users).
Check you still have the root password.
Check there is no strange processes/daemons on, "ps auxw" -command helps.
Check there is no strange directories anywhere, use "ls -la" to list every file in a directory, also hidden files (files which start with dot, for example .bashrc).
The most safe option is to back up just the files you really need, no more (malicious code can be hiding in files you back up), and then reinstall your OS with correctly destroying all data from your infected hard disk. Remember many rootkits try to hide themselves from user, for example they can try to hide their files, hide the process entry and connections they establish to internet. That's why you should reinstall your OS if you think someone/something has cracked your computer. In some cases getting shell access means exploiting some insecure daemon and gaining root access, when nothing can prevent intruder making bad things.
I recall that you plug your computer out from the internet, in case possible intruder uses your computer as a proxy to attack to somewhere else.
And one thing to say, DON'T HASTEN! Usually user makes dumb things in situations as this.
Remember, in most cases plugging out the network cord or WLAN-card makes system useless for intruder and you can calm down and think at peace what to do. And if intruder would have wanted to destroy your files, he possibly have made it before you get what is happening.
If you dont log-in through ssh at all, turn off the ssh service. If you need to use it, then turn off password access through ssh. If you do use ssh, but always from the same place, then restrict access to the ssh service from the static IP's you're going to connect from.
It can also help to use minimum standards for your user's passwords - nothing easy to guess, must contain numbers and letters, mixed case, etc.
Yep, and don't forget to disable root ssh login! If you need remote-root-access, then use it via sudo or su. I have also noticed that using tcpwrappers to restrict accessibility of services (especially SSH, the other services can't be seen from internet) is a great deal. For example, I have allowed only my own country (most of the scans and attacks come from other countries), it makes a big improvement for the security of my server. About the passwords of users, John the Ripper is the tool.