[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
have I been hacked?
I think I just might be really pissed off. Not sure - I've been so caught
up in this Zen thing - it is hard to get excited about anything.
I am running multiple 3.0 OpenBSD boxes now - thanks to the FAQs and the
users of this list.
As per the change log stuff - the only thing I see as a potential remote
hole for version 3.0 is if I have kerberos running and haven't patched
well I have not configured kerberos - however I also have not yet patched
I noticed at the begining of the month, that somone or several people (a few
different IP's) were attempting to connect to ssh - but were denied because
they failed to provide proper identification. I assume this is because out
of the box oBSD requires a key-pair for authentication as opposed to just a
password [a very good thing! - please correct me if I am wrong about any of
Then I saw several scans from an ssh ID util - ummm
SSH-1.0-SSH_Version_Mapper --- very happy that these things appear on the
console - because I haven't figured out where all the different security
related logs go - I guess most stuff is in /var/log - but I need to get up
to speed with that sort of stuff - all I see when I look at the current
stuff is that the log has been rotated - I do see .gz files (can I somehow
pipe cat or more through gzip so I don't have to actually gunzip those
files?)- and maybe I should get a log server up too - not much of a clue as
to setting that up - except I see that syslog.conf can allow me to specify
where to send stuff - but I digress...
so... SO - ok - today I am playing around with my web server - adding new
virtual domains, etc.. and I go to restart my httpd and I exclaim... 'what
the hell is that?' Now maybe I'm just senile at this point... but I don't
recall seeing comsat running before. And now it is.
so perhaps I'm just paranoid at this point - because I feel I'm only
half-way to keeping things secure - and worried about my 'neighborhood'. I
don't see comsat running on my other two servers on line - but they aren't
running httpd - (ie. they aren't identical) - so I checked the server I am
going to be using for development and patch compilation, etc... because it
has httpd running - and no comsat - but it is version 2.9- again not
identical - it also doesn't have virt-domains - so I'm not sure what might
get comsat running
can someone please advise me if there is any reason comsat would be running
if I didn't start it? I read the man page (skimmed it actually) and it
seems like the sort of service a bastard hacker from hell could use to see
if I was logged on or not with.
I'll unlock the gun cabinet, while I wait for you guys to get back to me ;)
Captain (soon to be demoted) Weenie
I have IP's - and plenty of 9mm rounds for 'man stopping power' ;) [just
kidding of course - like ai said - zen and all... :) ]