LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 04-11-2004, 07:30 AM   #1
herc
Member
 
Registered: Jul 2003
Posts: 90

Rep: Reputation: 15
Weird restart, my system's compromised?


Thought i'd move this here from general:

Hmm, my computer had restarted itself last night and I have no idea why.
This is what is logged:

...
Apr 10 01:45:55 warmachine -- MARK --
Apr 10 02:04:29 warmachine sshd[22900]: Accepted password for * from ::ffff:* port 18308 ssh2
Apr 10 02:04:29 warmachine sshd[22902]: subsystem request for sftp
Apr 10 02:16:21 warmachine sshd[22908]: Accepted password for * from ::ffff:* port 18161 ssh2
Apr 10 02:16:22 warmachine sshd[22910]: subsystem request for sftp
Apr 10 01:36:45 warmachine syslogd 1.4.1: restart.
Apr 10 01:36:46warmachine kernel: klogd 1.4.1, log source = /proc/kmsg started.
Apr 10 01:36:46 warmachine kernel: BIOS-provided physical RAM map:
Apr 10 01:36:46 warmachine kernel: 511MB LOWMEM available.
...

What might have caused the restart? And whats up with the timestamps, 02:xx before 01:xx ?


chkrootkit doesnt find anything except:

Checking `ldsopreload'... can't exec ./strings-static, not tested

Searching for suspicious files and dirs, it may take a while...
/usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/perl5/5.8.0/i486-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/j2sdk1.4.2_01/.systemPrefs /usr/lib/j2sdk1.4.2_01/.systemPrefs/.systemRootModFile /usr/lib/j2sdk1.4.2_01/.systemPrefs/.system.lock /usr/lib/python2.3/site-packages/freeze/.cvsignore
/usr/lib/php/.registry /usr/lib/j2sdk1.4.2_01/.systemPrefs

Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero

Checking `sniffer'... not tested: can't exec ./ifpromisc

Checking `wted'... not tested: can't exec ./chkwtmp

Checking `z2'... not tested: can't exec ./chklastlog


Is my system compromised and what can i do to fix it?
 
Old 04-11-2004, 09:00 AM   #2
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 430Reputation: 430Reputation: 430Reputation: 430Reputation: 430
Your original post wasn't in General, it was in Linux-General. If you really want your post to be moved, report it to a moderator and ask for it to be moved.

Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

http://www.linuxquestions.org/rules.php
 
Old 04-11-2004, 05:51 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Thought i'd move this here from general:
That's why there are moderators and it would more accurately double posting rather than moving.

Thread Closed - If you would like the orginal thread moved, report it to the Linux - General moderators and request that it be moved here.

Please direct any replies to the original thread:
http://www.linuxquestions.org/questi...656#post871656
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Weird restart option. please help me thtr2k Linux - General 5 03-25-2005 09:04 PM
How the system's envionment was build? docterling Linux - Newbie 1 03-10-2005 07:25 AM
Help! My system's been compromised.... DaVenom Linux - Security 1 11-12-2004 02:49 PM
Weird restart? herc Linux - General 7 04-11-2004 11:26 PM
File system's properties hotrodowner Linux - General 3 07-04-2002 10:20 AM


All times are GMT -5. The time now is 05:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration