Looks like I was hacked. I guess that's what I get for installing an OS, connecting it to the internet, half updating it and going to bed and class. I returned and saw some funky messages about the games user having ssh'd in and it confused me, but the logs revealed nothing so I went to bed. Silly me. I haven't touched it since it happened (a few days ago), and I went to play with John the Ripper tonight. I noticed that it found 4 passwords when I attempted to crack my shadow file. I have my root account, my user account and one friend has a shell, so this confused me. I checked and games had a password. I promptly removed the password and locked the account (removed the shell as well) and started searching for clues. I decided to start with the games folder and sure enough found a file called owned with an ip address in it (184.108.40.206) this resolves to tnt.pl. Anyone know anything about it? Anyways I then noticed a directory called w00t, which is full of source and compiled apps, mostly for scanning samba. Now I know i had an insecure version of ssh, but i'm wondering if my samba was also insecure and that's how they used it to get in. They seem to just be scanning from one network to another. Anyways I'm still investigating but I seem to have most things locked back down. It's good that my linux box isn't my day to day box because I wouldn't want any valuable data stored on there.
I have aliased the /usr/games/w00t directory that they created into apache and those of you that are interested to see what they were using and what they were attempting to do it's located at http://tyler.reguly.net/w00t
Hopefully this will help others from suffering the same fate and possibly shed some light onto what happened to me.
Server will be availble for the next 24 hours max. Then I will be reinstalling Mandrake 9.1 (I'm leaving it up for those of you interested in viewing the files located there).The attackers gained access to the games account and from there escalated their privledges to root. They (obviously from poland based on an abundance of .pl addresses) then wiped the syslogs clean (http://republika.pl/garfix/wipe) , before proceding. They played around a bit, and cleaned off my samba software. They installed some program called k (http://anax.us/~fishboner/k). After some other garbage (view the bash_history on the server) they installed the vckit (http://republika.pl/garfix/vckit.tgz).. it is quite the lil toy, I downloaded it and viewed the set-up file and it does some serious damage to the system moving around files and such. They downloaded and iso (who knows why) and then grabbed woot (http://republika.pl/garfix/woot.tgz) the files of which are still available from the server. Then they played around with a BitchX exploit (http://netric.org/exploits/gespuis.c)
This is similar to the behaviour of a linux worm that is out there exploiting samba, however it is different and there are obvious user typos in the bash_history. As well the existance of the bash_history tells me they were sloppy. Then again I guess I was even sloppier...
I found it to be an interesting read... taking a look at the tools/methods used by this attack scenario...