Something weird has happened on my computer, and I think I may have been hacked.
In my LogWatch, I had this entry
Code:
--------------------- Connections (secure-log) Begin ------------------------
New Users:
useradd (named)
New Groups:
named (25)
I thought, who added a new user, and why? So I looked in /var/log/secure, and it said
Code:
Jan 12 22:44:49 resnet-18-64 groupadd[6798]: new group: name=named, gid=25
Jan 12 22:44:49 resnet-18-64 useradd[6799]: new user: name=named, uid=25, gid=25, home=/var/named, shell=/sbin/nologin
So, I then checked /var/named. Here's the directory listing.
Code:
total 72
drwxrwx--- 2 named named 4096 Oct 18 16:17 data
-rw-r--r-- 1 named named 198 Aug 25 17:16 localdomain.zone
-rw-r--r-- 1 named named 195 Aug 25 17:16 localhost.zone
-rw-r--r-- 1 named named 415 Aug 25 17:16 named.broadcast
-rw-r--r-- 1 named named 2518 Aug 25 17:16 named.ca
-rw-r--r-- 1 named named 432 Aug 25 17:16 named.ip6.local
-rw-r--r-- 1 named named 433 Aug 25 17:16 named.local
-rw-r--r-- 1 named named 416 Aug 25 17:16 named.zero
drwxrwx--- 2 named named 4096 Oct 18 16:17 slaves
There were no files in the folders data, or slaves. Most of the files had similair contents. Here's named.broadcast:
Code:
$TTL 86400
@ IN SOA localhost root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost
I really can't make heads or tails of any of this. I was on my computer yesterday at the time this happened, and I was watching TV on my computer, nothing else. So I'm pretty sure nothing I did could have added this new user and group. However, I see that the files in /var/named are several months old. Does anybody have any idea what's going on? Did someone hack into my computer? It doesn't appear like anyone did, but if they did, what would be the purpose?
