Register a domain and help support LQ
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


Closed Thread
  Search this Thread
Old 04-11-2004, 08:30 AM   #1
Registered: Jul 2003
Posts: 90

Rep: Reputation: 15
Weird restart, my system's compromised?

Thought i'd move this here from general:

Hmm, my computer had restarted itself last night and I have no idea why.
This is what is logged:

Apr 10 01:45:55 warmachine -- MARK --
Apr 10 02:04:29 warmachine sshd[22900]: Accepted password for * from ::ffff:* port 18308 ssh2
Apr 10 02:04:29 warmachine sshd[22902]: subsystem request for sftp
Apr 10 02:16:21 warmachine sshd[22908]: Accepted password for * from ::ffff:* port 18161 ssh2
Apr 10 02:16:22 warmachine sshd[22910]: subsystem request for sftp
Apr 10 01:36:45 warmachine syslogd 1.4.1: restart.
Apr 10 01:36:46warmachine kernel: klogd 1.4.1, log source = /proc/kmsg started.
Apr 10 01:36:46 warmachine kernel: BIOS-provided physical RAM map:
Apr 10 01:36:46 warmachine kernel: 511MB LOWMEM available.

What might have caused the restart? And whats up with the timestamps, 02:xx before 01:xx ?

chkrootkit doesnt find anything except:

Checking `ldsopreload'... can't exec ./strings-static, not tested

Searching for suspicious files and dirs, it may take a while...
/usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/perl5/5.8.0/i486-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/j2sdk1.4.2_01/.systemPrefs /usr/lib/j2sdk1.4.2_01/.systemPrefs/.systemRootModFile /usr/lib/j2sdk1.4.2_01/.systemPrefs/.system.lock /usr/lib/python2.3/site-packages/freeze/.cvsignore
/usr/lib/php/.registry /usr/lib/j2sdk1.4.2_01/.systemPrefs

Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero

Checking `sniffer'... not tested: can't exec ./ifpromisc

Checking `wted'... not tested: can't exec ./chkwtmp

Checking `z2'... not tested: can't exec ./chklastlog

Is my system compromised and what can i do to fix it?
Old 04-11-2004, 10:00 AM   #2
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,191
Blog Entries: 4

Rep: Reputation: 464Reputation: 464Reputation: 464Reputation: 464Reputation: 464
Your original post wasn't in General, it was in Linux-General. If you really want your post to be moved, report it to a moderator and ask for it to be moved.

Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.
Old 04-11-2004, 06:51 PM   #3
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 65
Thought i'd move this here from general:
That's why there are moderators and it would more accurately double posting rather than moving.

Thread Closed - If you would like the orginal thread moved, report it to the Linux - General moderators and request that it be moved here.

Please direct any replies to the original thread:

Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Weird restart option. please help me thtr2k Linux - General 5 03-25-2005 10:04 PM
How the system's envionment was build? docterling Linux - Newbie 1 03-10-2005 08:25 AM
Help! My system's been compromised.... DaVenom Linux - Security 1 11-12-2004 03:49 PM
Weird restart? herc Linux - General 7 04-12-2004 12:26 AM
File system's properties hotrodowner Linux - General 3 07-04-2002 11:20 AM

All times are GMT -5. The time now is 05:33 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration