[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: have I been hacked?
Thanks for the feedback - and thanks for the feedback from everyone else
that took time to respond.
I have changed my root password - and I have disabled the ability to ssh in
as root - and I checked the output of last
... and once again I am worried.
I had three virtual terminals open and logged in - I had been logged in
there since last reboot - they should have shown up when I typed # last
well all I got was that the /var/log/wtmp started today - around the time
that typed it... which was the wrong time by the way - not sure if that was
an oversight when I set this system up or not.
anyway - I logged in on another virtual console - and then did the last
command again - and sure enough that one showed up. I tested this on
another system that I have - which has not been on the network - and I had a
history of root logins on that one.
I tried to do a # last -f /var/log/wtmp -- thinking that perhaps the info
was stored within that file - but I got the same message with no logins
showing up (this was before that test login)
I'm thinking last should have shown me the current logins, right?
there are no additional accounts created in /etc/passwd
if someone brute forced my root password comming in over ssh - wouldn't I
see an error for each failed attempt on the console?
Thanks again - I think I'll be building a backup server tonight to switch
over to :(
From: firstname.lastname@example.org [SMTP:email@example.com] On Behalf Of
Sent: Saturday, February 09, 2002 8:11 PM
To: Ken Walling
Subject: Re: have I been hacked?
On Sat, 9 Feb 2002, Ken Walling wrote:
> well I have not configured kerberos - however I also have not yet patched
You should patch that...
> I noticed at the begining of the month, that somone or several people (a
> different IP's) were attempting to connect to ssh - but were denied
> they failed to provide proper identification. I assume this is because
> of the box oBSD requires a key-pair for authentication as opposed to just
> password [a very good thing! - please correct me if I am wrong about any
Nope, out of the box ssh just needs a password.
> console - because I haven't figured out where all the different security
> related logs go - I guess most stuff is in /var/log - but I need to get up
> to speed with that sort of stuff - all I see when I look at the current
> stuff is that the log has been rotated - I do see .gz files (can I somehow
> pipe cat or more through gzip so I don't have to actually gunzip those
> files?)- and maybe I should get a log server up too
Try looking at /var/log/messages for a start.
> so... SO - ok - today I am playing around with my web server - adding new
> virtual domains, etc.. and I go to restart my httpd and I exclaim... 'what
> the hell is that?' Now maybe I'm just senile at this point... but I don't
> recall seeing comsat running before. And now it is.
I believe it's on by default. Edit /etc/inetd.conf and turn it off (just
comment the beginning of the line with '#'), then either reboot or 'kill
-HUP' the process. Turn off anything else in there you don't want too.
I doubt you've been hacked, but try looking at the 'last' output and see
if any weird logins have happened without your knowledge. SSH logins
should be recorded there.
If you had been rootkitted there would likely be a strange new port open
on your system as well, you can nmap it and see what comes up if you
Sounds like all is well, most likely. But patch your ssh to the latest
version if you will be using it, and maybe lock it down using pf to a
range of IP's you will be logging in from if you know that info.
Happy hunting! (I use a .40-cal myself...) =)