LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-19-2003, 02:42 PM   #1
Tenover
Member
 
Registered: Mar 2003
Posts: 123

Rep: Reputation: 15
Help! Have I been hacked?


I just recently built a Mandrake box here at work and we are behind a firewall. Today I was trying to troubleshoot a problem when I noticed an odd job in crontab, then I noticed a directory called /var/bobsdata.......Have I been hacked somehow? Anyone have any information on how I could've been hacked? Thanks.
 
Old 11-19-2003, 03:24 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Since you didn't offer any info like changed md5sums or other ways you verified your system, I'm gonna default to compromise mode:

I. If you're already logged in as root, do save the output from "netstat -np", "lsof -n" and "ps axwwwe". Run "find /proc -name exe -maxdepth 2 | xargs -iP cp -afL 'P' /tmp 2>&1|tee /tmp/procs.log". Now bring down the box to runlevel 1 and save another separate copy of "ps axwwwe". *Note if the system has been subverted, no output can be trusted.

II. If you're not logged in as root, bring the box down whichever means you got. If you've got magic sysrq, make sure to sync before you power off.

III. Now shut the box down and do not bring it up again.. Do this now.

IV. If you're no LAN admin, notify him or your IT dept, or whoever is in charge.
If you've got to bring up the box, boot a one floppy distro, a rescue cdr or something like a cdr distro like Knoppix, FIRE, PSK etc etc.
DO NOT boot the kernel from disk, but from the cdr/floppy.
DO NOT mount partitions in read-write mode.


After this all, check your system logs, passwd/group data and verify installed packages for md5sums with those from cdrom or other static means. Post any results out of the ordinary. Now please handle the questions below. Be as verbose as you can, offer any info we haven't thought of you think is necessary.

I just recently built a Mandrake box here at work and we are behind a firewall.
- What kind of LAN, what kind of traffic granted?
- What Mandrake version, any upgrades applies, what services running?

Today I was trying to troubleshoot a problem
Problems usually are what people notice. Please post it (in general) as it could be relevant.


when I noticed an odd job in crontab,
Who is it owned by, what are the contents?


then I noticed a directory called /var/bobsdata
Who is it owned by, what are the contents?


Have I been hacked somehow?
I don't know. Precautions must take precedence over any priorities.


Anyone have any information on how I could've been hacked
We hopefully get over that later on.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 07:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 01:57 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 08:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM
i think i've been hacked! safil Linux - Security 7 11-02-2003 10:16 AM


All times are GMT -5. The time now is 04:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration