In the last two days my server (Red Hat 6.2 with Plesk 1.3.1) had 2 attacks.
The first time they changed the root password (10 characters long) than created a new user (I've been able to modify the rooot password thanx to webmin, now the root password is 30 char long), the second time they changed the 15-char-long password of an existing user, then they created theyr own user. This is what I found in the log:

First attack:

Mar 23 07:11:31 s1 PAM_pwdb[21736]: password for (root/0) changed by ((null)/0)
Mar 23 07:13:19 s1 login[21739]: ROOT LOGIN on `pts/3' from `164.77.67.47'
Mar 23 07:13:39 s1 inetd[507]: pid 21708: exit status 1
Mar 23 07:16:03 s1 useradd[21764]: new group: name=spider, gid=10009
Mar 23 07:16:03 s1 useradd[21764]: new user: name=spider, uid=10009, gid=10009, home=/home/spider, shell=/bin/bash
Mar 23 07:16:24 s1 PAM_pwdb[21765]: password for (spider/10009) changed by (root/0)
Mar 23 07:32:01 s1 inetd[507]: pid 21795: exit status 1
Mar 23 07:33:33 s1 PAM_pwdb[21798]: password for (root/0) changed by ((null)/0)
Mar 23 07:36:15 s1 PAM_pwdb[21809]: get passwd; pwdb: request not recognized
Mar 23 07:36:34 s1 PAM_pwdb[21810]: (ftp) session opened for user spider by (uid=0)
Mar 23 07:41:03 s1 inetd[507]: pid 21738: exit status 1
Mar 23 07:44:28 s1 PAM_pwdb[21810]: (ftp) session closed for user spider
Mar 23 07:47:32 s1 PAM_pwdb[21841]: password for (root/0) changed by ((null)/0)
mar 23 07:48:51 s1 PAM_pwdb[21867]: authentication failure; spider(uid=10009) -> root for su service
Mar 23 07:52:30 s1 PAM_pwdb[21877]: (ftp) session opened for user spider by (uid=0)
Mar 23 07:59:55 s1 modprobe: modprobe: Can't locate module net-pf-10
Mar 23 08:04:11 s1 fingerd[22086]: Client hung up - probable port-scan

Second attack:

Mar 25 21:58:33 s1 PAM_pwdb[801]: password for (pippo/500) changed by ((null)/0)

Any idea of what happened and how I can stop them?
Thanks a lot!
Ricky

Make sure you have the latest versions of the software you are running. For example if you have the old vunerable versions of bind people could get in. As you say they/it has had root access they could have replaced some files so when you think you have run XXX you have actually run their program that makes you think XXX took place but it did something else. Have a look at http://www.securityfocus.com for LOADS of info. Theur layout of the pages is a bit annoying but there is lots of usefull info.

I've found on redhat.com that kernel 2.2.14 (standard on RH 6.2) has a bug that allows users to login as root, and the only solution is to upgrade the kernel.
Since there are several sites on this server and I don't want to screw up everything (I've never upgraded a kernel...) I've installed SSH and disabled Telnet.
Do you think this can be a solution or I absolutely need to upgrade the kernel?

Well on my systems I have upgraded the kernels. I am no expert but I would recomend you move to a secure one or at leaste one that has no bug where people can get in from out side. At least you could limit the breakins to some one with an account on your server.

By the way I have messed up kernel upgrades and it is really easy done. It is one upgrade you have to re-boot for. If you have physical access to the server it isn't too bad as you can just choose the old one off the boot menu. A host might charge you for this. It is easy to see what went wrong afterwords but it is too late. I have upgraded to the 2.4.2 kernel, at the moment I will risk the fact that there might be a few bugs in it as nothing I run has to be up 100%. Not had a problem with it yet though.

I don't know how easy the redhat kernel update downloads are to install as I haven't tried. Some one will be able to comment though.

I don't know if disbabling telnet will slove you problem (even if temporarily, until they find another way in) but even ssh had a bug and I had to upgrade that.

Something else I want to make sure you're aware of...

It is a *very* common practice to install a "root kit" once a box has been compromised. That means you're likely to have back doors all over your system. There is really no solution beyond rebuilding the box from scratch - and I mean from scratch; you don't re-use ANY binaries from the old box.

It's a pain in the ass that I've had to go through once before - hope I never have to again.

How can I check if a "root kit" has been installed?

If you have MD5 checksums of common system binaries (things like ls, su, ping, traceroute, etc.) check those. Otherwise, assume one has. :(

I think what Travis means to say is "check those, after rebooting from a known safe floppy, using a known safe checksum program."

Many rootkits include code to fool anyone who tries to compare checksums (usually, but not necessarily, a trojaned checksum utility).

Thank you all, for the moment without telnet I had no more attacks, anyway I'll rebuild the box as soon as possible to avoid other problems.
For anyone who can be interested, i've found where the problem is - check this page: http://neworder.box.sk/showme.php3?id=2063

I suggest to all of you running a kernel prior to 2.2.16 to upgrade as soon as possible and to install webmin (without it I wouldn't been able to change again my root password...)

Ricky