[NTLUG:Discuss] How to tell if I have been hacked

Fred fredstevens at yahoo.com
Mon May 8 23:39:02 CDT 2006 

How do I know if my system has been (or is) compromised? I have tried rpm -V
but my system is old enough and the database hasn't been updated since the
original install (you mean the rpm package doesn't automatically do that each
time a package is installed?), so that test is useless. I think ditto with
looking at other system files. I have chkrootkit and it says everything is ok
except for the:

You have    21 process hidden for readdir command
You have    21 process hidden for ps command

All this concern was brought on by a system log that has entries that trace to
China, Russia (and other places), but nothing that says that anyone actually
got in.

Log entry:

May  8 23:12:05 main kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:11:2f:11:2c:56:00:e0:98:52:11:50:08:00 SRC=203.170.106.164
DST=192.168.1.100 LEN=338 TOS=0x00 PREC=0x00 TTL=51 ID=49704 PROTO=UDP SPT=0
DPT=1025 LEN=318 
May  8 23:12:05 main kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:11:2f:11:2c:56:00:e0:98:52:11:50:08:00 SRC=203.170.106.164
DST=192.168.1.100 LEN=338 TOS=0x00 PREC=0x00 TTL=51 ID=49705 PROTO=UDP SPT=0
DPT=1026 LEN=318 

Is that just a knock at the door?

I also got several like this:
May  7 22:21:01 main sshd[7279]: Failed password for root from 61.235.97.166
port 58937 ssh2
May  7 22:21:01 main kernel: SFW2-INext-ACC-TCP IN=eth0 OUT=
MAC=00:11:2f:11:2c:56:00:e0:98:52:11:50:08:00 SRC=61.235.97.166
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=5655 PROTO=TCP SPT=59000
DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
(0204057E0402080A198E67FA0000000001030302) 

Since the system log hasn't been flushed and since it never showed a login, can
I assume that no one got in? Here's a system log entry about my use:
May  8 12:54:52 main su: (to root) fred on /dev/pts/2
May  8 12:54:52 main su: pam_unix2: session started for user root, service su 
May  8 12:54:52 main su: pam_unix2: session finished for user root, service su 

Fred



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Discuss mailing list