[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

have I been hacked?

To: <misc@openbsd.org>
Subject: have I been hacked?
From: "Ken Walling" <ken@ppe.net>
Date: Sat, 9 Feb 2002 18:37:31 -0500

ARRRRRG!

I think I just might be really pissed off.  Not sure - I've been so caught
up in this Zen thing  - it is hard to get excited about anything.

I am running multiple 3.0 OpenBSD boxes now - thanks to the FAQs and the
users of this list.

As per the change log stuff  - the only thing I see as a potential remote
hole for version 3.0 is if I have kerberos running and haven't patched
sshd...

well I have not configured kerberos - however I also have not yet patched
sshd.

I noticed at the begining of the month, that somone or several people (a few
different IP's) were attempting to connect to ssh - but were denied because
they failed to provide proper identification.  I assume this is because out
of the box oBSD requires a key-pair for authentication as opposed to just a
password [a very good thing! - please correct me if I am wrong about any of
this]

Then I saw several scans from an ssh ID util - ummm
SSH-1.0-SSH_Version_Mapper  --- very happy that these things appear on the
console - because I haven't figured out where all the different security
related logs go - I guess most stuff is in /var/log - but I need to get up
to speed with that sort of stuff - all I see when I look at the current
stuff is that the log has been rotated - I do see .gz files (can I somehow
pipe cat or more through gzip so I don't have to actually gunzip those
files?)- and maybe I should get a log server up too - not much of a clue as
to setting that up - except I see that syslog.conf can allow me to specify
where to send stuff - but I digress...

so... SO - ok - today I am playing around with my web server - adding new
virtual domains, etc.. and I go to restart my httpd and I exclaim... 'what
the hell is that?'  Now maybe I'm just senile at this point... but I don't
recall seeing comsat running before.   And now it is.

so perhaps I'm just paranoid at this point - because I feel I'm only
half-way to keeping things secure - and worried about my 'neighborhood'.  I
don't see comsat running on my other two servers on line - but they aren't
running httpd - (ie. they aren't identical) - so I checked the server I am
going to be using for development and patch compilation, etc... because it
has httpd running - and no comsat - but it is version 2.9- again not
identical - it also doesn't have virt-domains - so I'm not sure what might
get comsat running

can someone please advise me if there is any reason comsat would be running
if I didn't start it?  I read the man page (skimmed it actually) and it
seems like the sort of service a bastard hacker from hell could use to see
if I was logged on or not with.

I'll unlock the gun cabinet, while I wait for you guys to get back to me ;)

	Captain (soon to be demoted) Weenie

PS
I have IP's - and plenty of 9mm rounds for 'man stopping power'  ;)   [just
kidding of course - like ai said - zen and all... :)  ]

Follow-Ups:
- Re: have I been hacked?
  - From: Ryan McBride <mcbride@countersiege.com>
- Re: have I been hacked?
  - From: David Krause <openbsd@davidkrause.com>
- Re: have I been hacked?
  - From: Ralph Forsythe <rforsythe@centerone.com>
- Re: have I been hacked?
  - From: Ted U <grendel@heorot.stanford.edu>
- Re: have I been hacked?
  - From: "Ken Walling" <ken@ppe.net>
- Re: have I been hacked?
  - From: kevin@tgivan.com

Prev by Date: Starband && OpenBSD
Next by Date: Re: clash of civilizations
Prev by thread: Re: Starband && OpenBSD
Next by thread: Re: have I been hacked?
Index(es):
- Date
- Thread