LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-16-2002, 12:12 PM   #1
Sridhar Guntur
LQ Newbie
 
Registered: Oct 2002
Location: 808 Ridge Drive apt #110 Dekalb IL-60115
Distribution: RedHat 7.2
Posts: 11

Rep: Reputation: 0
Angry hostname changed. was i hacked????????


Iam confused. Last night i turned my redhat 7.2 system on as root and forgot to shutdown and today morning when i rebooted ,the system had to do root file system check because it was not properly shutdown(i turned the power off button)i have a differnet hostname (the new hostname is x1-6-00-e0-4c-03-2e-5e) was i hacked or is there any loss of data due to root file system check? how do i know if i my system was abused? BTW i was tweaking with postgresql server (port 5432) yesterday. could that be the reason?i run apache webserver and tomact server as root. and how do i change my hostname back to what i want.all other services like webserver are working fine.please suggest me what to do.
thanks in advance.
 
Old 10-16-2002, 12:20 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
nah i doubt it... you're on ADSL i take it? try running ifconfig and i *think* that you'll see that your mac address is used as your hostname by the ISP, maybe it was their MAC, i can't remember... happened to me once i'm sure.
 
Old 10-16-2002, 12:29 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928
And wrt "how do I know if my system was abused?" search this forum you will, for "integrity check" "rootkit" "hacked" "chkrootkit" "sans" "cert". Weird it would be if no results turn up, a security forum, this being.
 
Old 10-16-2002, 01:14 PM   #4
Sridhar Guntur
LQ Newbie
 
Registered: Oct 2002
Location: 808 Ridge Drive apt #110 Dekalb IL-60115
Distribution: RedHat 7.2
Posts: 11

Original Poster
Rep: Reputation: 0
Hello acid_kewpie and thanks to both or you for replying.
Iam using at&t cable modem and not ADSL and i dont know if at&t uses the mac address as the hostname? any way iam at work so i will go home and check ifconfig to check my mac address.
 
Old 10-16-2002, 07:16 PM   #5
Sridhar Guntur
LQ Newbie
 
Registered: Oct 2002
Location: 808 Ridge Drive apt #110 Dekalb IL-60115
Distribution: RedHat 7.2
Posts: 11

Original Poster
Rep: Reputation: 0
acid_kewpie i use at&t cable modem(dhcp service) and as suggested by you , i executed ifconfig and my eth0(nic) HWaddr: 00-E0-4C-03-2E-5E and the hostname that i get (by hostname command) is x1-6-00-e0-4c-03-2e-5e. yes, i can see that part of my hostname has my mac address. and my /etc/hosts file has a line: 127.0.0.1 localhost.localdomain localhost
and /etc/sysconfig/network has NETWORKING=yes and HOSTNAME=localhost.localdomain. so what does this whole thing mean and why has my hostname suddenly changed? can i change my hostname by sethostname command and if i do that will it effect any of my netwoking services? thanks a lot and sorry for troubling with questions( im a newbie!!!!!!!!!!!)
 
Old 10-16-2002, 08:45 PM   #6
Sridhar Guntur
LQ Newbie
 
Registered: Oct 2002
Location: 808 Ridge Drive apt #110 Dekalb IL-60115
Distribution: RedHat 7.2
Posts: 11

Original Poster
Rep: Reputation: 0
i ran chkrootkit and found everything ok except these lines. How do i interpret them?

(1) Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.0/i386-linux/.packlist /usr/lib/mozilla/plugins/java2/bin/.java_wrapper


(2) eth0 is not promisc
(3) Checking `wted'... 1 deletion(s) between Mon Oct 7 08:32:31 2002 and Mon Oct 7 08:36:12 2002
1 deletion(s) between Thu Oct 10 16:10:56 2002 and Fri Oct 11 21:50:46 2002
nothing deleted
(4) Checking `z2'... user root deleted or never loged from lastlog!


thanks for your patience.
 
Old 10-17-2002, 08:24 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928
1. Dotfile from the looks of the name a false positive. Seen a lot on boxes with for instance Perl installed as well.
2. Your NIC is not listening to traffic not destined for itself. Good.
3. Wted. Tool to edit wtmp entries. Verify running "last -aix" to see all logins from the start of wtmp, and ac --complain to get overview of missing login records. Although missing login records itself don't necessarily mean you're box is cracked you should investigate manually.
4. If running "lastlog" manually shows root never logged in then you've got a problem. If you didn't install an integrity checker like Aide, Samhain or Tripwire (everyone should have one of those) you can still check (only currently installed files tho) running "rpm -Va" if the rpm database is not "edited" as well. But if you didn't install an integrity checker you'll never know.

Hmm. If you have more questions on security I would suggest opening a separate thread in the security foruma dn keep your network probs here unless theyre solved already.
 
Old 07-23-2004, 12:34 PM   #8
ashlock
Member
 
Registered: Jul 2003
Distribution: Fedora Core 2, RH 9
Posts: 33

Rep: Reputation: 15
Quote:
Originally posted by Sridhar Guntur

(4) Checking `z2'... user root deleted or never loged from lastlog!
[/B]
After doing a fresh kerrnel compile, I had never actually logged in as root, I had only used 'su' to do root tasks, so lastlog was showing **Never logged in** for root. After actually logging in as user root from a console, lastlog now shows the time of this login and chkrootkit does not display this message anymore.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Knoppix Changed Hostname deadlove75 Linux - Software 4 04-10-2006 01:15 PM
hostname changed - why? greg108 Fedora 3 12-31-2004 08:41 PM
Do after changed the hostname, can't connection by SSH again? explorer1979 Linux - Networking 2 03-30-2004 11:15 PM
changed hostname now problems degraffenried13 Linux - General 2 02-21-2004 07:15 PM
Changed my hostname and broke sshd Itzac Linux - Networking 7 03-23-2003 07:54 PM


All times are GMT -5. The time now is 10:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration