VMware vSphere

Pre-Notes:

I am no ESXi expert. I put the server up to tinker.  I am a Windows guy.

This is not a production box but it is in a hardened environment.

No one else has physical or remote access (so I thought) to this box.

It is not on the internet.

root password was not in any dictionary. 

What I would like to know is:

Was I really hacked?

What logs should I look at?  (SSH is not on BTW)

Without SSH how do I get to the logs?

Facts:

My Console now just says "Hey!"

Nothing seems to be deleted.

I can not do anything from the console. Root.... still says hey.

I can use vSphere client.

I changed the root password and shut down all the systems I had up.  I am assuming one of the VM was compromised and that is how the hacker (if that is the case) got internal network access (reverse telnet or something). This is a firewalled segment and there is nothing forwarded to this system from the Internet.

Post notes:

I am posting this as a learning experience for myself and others. I am sure I did something dumb. I was going to just rebuild the system (will do this anyway) But as this network has nothing of value I did not want to destroy any logs I can learn from.  I got lucky... This is just a test lab.

SSH can be enabled via the vSphere client and I'd guess it's more likely that someone logged in via the client, enabled SSH and then changed the login screen on you.

If you enable SSH, connect with a client like WinSCP and you can then browse directories.  Go to /var/log and look at vmauthd.log and shell.log.  That'll give you an idea of who has logged in and if any shell commands have been run.

At the console,  do you have the option to login at all?

I did what you said.... thank you BTW...

I can not do anything from the console.... just says "hey!"

Do you think the logs have been cleared?

shell.log

2012-03-18T02:09:27Z ESXShell: ESXi Shell unavailable

Auth.log

2012-09-30T03:38:05Z sshd[10360]: Connection from 192.168.250.31 port 58777 (this is me, getting the logs)

2012-09-30T03:38:07Z sshd[10361]: pam_per_user: create_subrequest_handle(): doing map lookup for user "root"

2012-09-30T03:38:07Z sshd[10361]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="root", service="system-auth-generic")

2012-09-30T03:38:07Z sshd[10360]: Accepted keyboard-interactive/pam for root from 192.168.250.31 port 58777 ssh2

2012-09-30T03:38:07Z sshd[10360]: pam_per_user: create_subrequest_handle(): doing map lookup for user "root"

2012-09-30T03:38:07Z sshd[10360]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="root", service="system-auth-generic")

2012-09-30T03:38:07Z sshd[10360]: pam_unix(system-auth-generic:session): session opened for user root by (uid=0)

2012-09-30T03:38:07Z sshd[10360]: User 'root' running command '/bin/sh'

Here is the directory ( don't know if this helps)

Welcome to the Community,

don't worry, you haven't been hacked. What you see is the "Annotations.WelcomeMessage" which can by configured in "Configuration" -> "Advanced Settings"

André

You are correct! that was the setting.....

My issue now is how it is get set?  (

As I never really look at the console, It is possible that I did it weeks\months ago,  I did look at the advanced setting a few months ago.  Although I do not remember doing it, still most likely case.

Thank you Dave.Mishchen for teaching me how to get to the logs.

Thank you André for showing me the Advanced Setting.

Thanks for helping me out.