LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-19-2003, 03:42 PM   #1
Tenover
Member
 
Registered: Mar 2003
Posts: 123

Rep: Reputation: 15
Help! Have I been hacked?


I just recently built a Mandrake box here at work and we are behind a firewall. Today I was trying to troubleshoot a problem when I noticed an odd job in crontab, then I noticed a directory called /var/bobsdata.......Have I been hacked somehow? Anyone have any information on how I could've been hacked? Thanks.
 
Old 11-19-2003, 04:24 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
Since you didn't offer any info like changed md5sums or other ways you verified your system, I'm gonna default to compromise mode:

I. If you're already logged in as root, do save the output from "netstat -np", "lsof -n" and "ps axwwwe". Run "find /proc -name exe -maxdepth 2 | xargs -iP cp -afL 'P' /tmp 2>&1|tee /tmp/procs.log". Now bring down the box to runlevel 1 and save another separate copy of "ps axwwwe". *Note if the system has been subverted, no output can be trusted.

II. If you're not logged in as root, bring the box down whichever means you got. If you've got magic sysrq, make sure to sync before you power off.

III. Now shut the box down and do not bring it up again.. Do this now.

IV. If you're no LAN admin, notify him or your IT dept, or whoever is in charge.
If you've got to bring up the box, boot a one floppy distro, a rescue cdr or something like a cdr distro like Knoppix, FIRE, PSK etc etc.
DO NOT boot the kernel from disk, but from the cdr/floppy.
DO NOT mount partitions in read-write mode.


After this all, check your system logs, passwd/group data and verify installed packages for md5sums with those from cdrom or other static means. Post any results out of the ordinary. Now please handle the questions below. Be as verbose as you can, offer any info we haven't thought of you think is necessary.

I just recently built a Mandrake box here at work and we are behind a firewall.
- What kind of LAN, what kind of traffic granted?
- What Mandrake version, any upgrades applies, what services running?

Today I was trying to troubleshoot a problem
Problems usually are what people notice. Please post it (in general) as it could be relevant.


when I noticed an odd job in crontab,
Who is it owned by, what are the contents?


then I noticed a directory called /var/bobsdata
Who is it owned by, what are the contents?


Have I been hacked somehow?
I don't know. Precautions must take precedence over any priorities.


Anyone have any information on how I could've been hacked
We hopefully get over that later on.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 08:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 02:57 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 09:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 07:00 PM
i think i've been hacked! safil Linux - Security 7 11-02-2003 11:16 AM


All times are GMT -5. The time now is 10:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration