Re: have I been hacked?

["Ken Walling" <ken@ppe.net>]

Ralph,

	Thanks for the feedback - and thanks for the feedback from everyone else
that took time to respond.

	I have changed my root password - and I have disabled the ability to ssh in
as root - and I checked the output of last

	... and once again I am worried.

	I had three virtual terminals open and logged in - I had been logged in
there since last reboot - they should have shown up when I typed  # last

	right?

	well all I got was that the /var/log/wtmp started today - around the time
that typed it... which was the wrong time by the way - not sure if that was
an oversight when I set this system up or not.

	anyway - I logged in on another virtual console - and then did the last
command again - and sure enough that one showed up.  I tested this on
another system that I have - which has not been on the network - and I had a
history of root logins on that one.

	I tried to do a # last -f /var/log/wtmp  -- thinking that perhaps the info
was stored within that file - but I got the same message with no logins
showing up (this was before that test login)

	I'm thinking last should have shown me the current logins, right?

	there are no additional accounts created in /etc/passwd

	if someone brute forced my root password comming in over ssh - wouldn't I
see an error for each failed attempt on the console?

	Thanks again - I think I'll be building a backup server tonight to switch
over to :(

		Kaptin Weenie


-----Original Message-----
From:	owner-misc@openbsd.org [SMTP:owner-misc@openbsd.org] On Behalf Of
Ralph Forsythe
Sent:	Saturday, February 09, 2002 8:11 PM
To:	Ken Walling
Cc:	misc@openbsd.org
Subject:	Re: have I been hacked?

On Sat, 9 Feb 2002, Ken Walling wrote:

> ARRRRRG!
>
> well I have not configured kerberos - however I also have not yet patched
> sshd.

You should patch that...

> I noticed at the begining of the month, that somone or several people (a
few
> different IP's) were attempting to connect to ssh - but were denied
because
> they failed to provide proper identification.  I assume this is because
out
> of the box oBSD requires a key-pair for authentication as opposed to just
a
> password [a very good thing! - please correct me if I am wrong about any
of
> this]

Nope, out of the box ssh just needs a password.

> console - because I haven't figured out where all the different security
> related logs go - I guess most stuff is in /var/log - but I need to get up
> to speed with that sort of stuff - all I see when I look at the current
> stuff is that the log has been rotated - I do see .gz files (can I somehow
> pipe cat or more through gzip so I don't have to actually gunzip those
> files?)- and maybe I should get a log server up too

Try looking at /var/log/messages for a start.

> so... SO - ok - today I am playing around with my web server - adding new
> virtual domains, etc.. and I go to restart my httpd and I exclaim... 'what
> the hell is that?'  Now maybe I'm just senile at this point... but I don't
> recall seeing comsat running before.   And now it is.

I believe it's on by default.  Edit /etc/inetd.conf and turn it off (just
comment the beginning of the line with '#'), then either reboot or 'kill
-HUP' the process.  Turn off anything else in there you don't want too.

I doubt you've been hacked, but try looking at the 'last' output and see
if any weird logins have happened without your knowledge.  SSH logins
should be recorded there.

If you had been rootkitted there would likely be a strange new port open
on your system as well, you can nmap it and see what comes up if you
want.

Sounds like all is well, most likely.  But patch your ssh to the latest
version if you will be using it, and maybe lock it down using pf to a
range of IP's you will be logging in from if you know that info.

Happy hunting!  (I use a .40-cal myself...) =)

- Ralph