am I hacked?
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Sat Apr 21 20:19:21 UTC 2007
peter kostov wrote:
> Martin Marques wrote:
>> peter kostov wrote:
>>> Hello,
>>>
>>> I was not reading my system logs regularly (that's bad!). Today I
>>> noticed the following:
>>
>> Install logwatch.
>>
>> [snip]
>>>
>>> In the logs I found exactly the same results since one month ago.
>>>
>>> Does that mean I have been hacked and all those binaries are replaced?
>>> The secure logs are full with unaccepted ssh connections. The only
>>> successful connections for this period are from a known IP, but
>>> unfortunately I have no older logs.
>>
>> Doesn't look like that. Any way, I didn't read in all your mail witch
>> version of FC you were running, and if you have upgrades up2date.
> I am running FC5 with yum enabled.
>>
>> I wouldn't worry so much. But get logwatch running right away.
>>
>
> I have logwatch installed, but I didn't know about it. Thanks for
> pointing it out!
>
> On the other machine in my local network there is one 'bad' binary
> reported by rkhunter - wget. This second computer accesses the Internet
> through the one we are discussing.
> It is also running FC5 with yum, although the installation isn't exactly
> the same.
>
> Peter
>
Two things:
I don't get any 'bad' binaries when I run chkrootkit, so I would
suspect problems when I see results like yours.
You can also also use RPM to check the same files. For example, to
check wget:
$ type wget
wget is hashed (/usr/bin/wget)
$ rpm -qf /usr/bin/wget
wget-1.10.2-8.fc6.1
$ rpm -V wget
$
You can also use "rpm -Vv wget" if you want to see what RPM is
doing, instead of it returning with no message if everything matches.
I would run "rpm -V coreutils" on the system as a first step. If it
reports files that do not match, I would back up your data, wipe,
and re-install! (If it does not find anything, then ether it was a
smart attacker, or you are safe...)
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
More information about the users
mailing list