[NTLUG:Discuss] How to tell if I have been hacked
Terry Henderson
trryhend at gmail.com
Tue May 9 07:00:01 CDT 2006
On 5/8/06, Fred <fredstevens at yahoo.com> wrote:
> How do I know if my system has been (or is) compromised? I have tried rpm -V
> but my system is old enough and the database hasn't been updated since the
> original install (you mean the rpm package doesn't automatically do that each
> time a package is installed?), so that test is useless. I think ditto with
> looking at other system files. I have chkrootkit and it says everything is ok
> except for the:
>
> You have 21 process hidden for readdir command
> You have 21 process hidden for ps command
>
> All this concern was brought on by a system log that has entries that trace to
> China, Russia (and other places), but nothing that says that anyone actually
> got in.
>
> Log entry:
>
> May 8 23:12:05 main kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
> MAC=00:11:2f:11:2c:56:00:e0:98:52:11:50:08:00 SRC=203.170.106.164
> DST=192.168.1.100 LEN=338 TOS=0x00 PREC=0x00 TTL=51 ID=49704 PROTO=UDP SPT=0
> DPT=1025 LEN=318
> May 8 23:12:05 main kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
> MAC=00:11:2f:11:2c:56:00:e0:98:52:11:50:08:00 SRC=203.170.106.164
> DST=192.168.1.100 LEN=338 TOS=0x00 PREC=0x00 TTL=51 ID=49705 PROTO=UDP SPT=0
> DPT=1026 LEN=318
>
> Is that just a knock at the door?
>
> I also got several like this:
> May 7 22:21:01 main sshd[7279]: Failed password for root from 61.235.97.166
> port 58937 ssh2
> May 7 22:21:01 main kernel: SFW2-INext-ACC-TCP IN=eth0 OUT=
> MAC=00:11:2f:11:2c:56:00:e0:98:52:11:50:08:00 SRC=61.235.97.166
> DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=5655 PROTO=TCP SPT=59000
> DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
> (0204057E0402080A198E67FA0000000001030302)
>
> Since the system log hasn't been flushed and since it never showed a login, can
> I assume that no one got in? Here's a system log entry about my use:
> May 8 12:54:52 main su: (to root) fred on /dev/pts/2
> May 8 12:54:52 main su: pam_unix2: session started for user root, service su
> May 8 12:54:52 main su: pam_unix2: session finished for user root, service su
>
> Fred
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> http://ntlug.pmichaud.com/mailman/listinfo/discuss
>
Look at:
# history
--
<><
More information about the Discuss
mailing list