LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Weird restart, my system's compromised? (http://www.linuxquestions.org/questions/linux-security-4/weird-restart-my-systems-compromised-168741/)

herc 04-11-2004 07:30 AM

Weird restart, my system's compromised?
 
Thought i'd move this here from general:

Hmm, my computer had restarted itself last night and I have no idea why.
This is what is logged:

...
Apr 10 01:45:55 warmachine -- MARK --
Apr 10 02:04:29 warmachine sshd[22900]: Accepted password for * from ::ffff:* port 18308 ssh2
Apr 10 02:04:29 warmachine sshd[22902]: subsystem request for sftp
Apr 10 02:16:21 warmachine sshd[22908]: Accepted password for * from ::ffff:* port 18161 ssh2
Apr 10 02:16:22 warmachine sshd[22910]: subsystem request for sftp
Apr 10 01:36:45 warmachine syslogd 1.4.1: restart.
Apr 10 01:36:46warmachine kernel: klogd 1.4.1, log source = /proc/kmsg started.
Apr 10 01:36:46 warmachine kernel: BIOS-provided physical RAM map:
Apr 10 01:36:46 warmachine kernel: 511MB LOWMEM available.
...

What might have caused the restart? And whats up with the timestamps, 02:xx before 01:xx ?


chkrootkit doesnt find anything except:

Checking `ldsopreload'... can't exec ./strings-static, not tested

Searching for suspicious files and dirs, it may take a while...
/usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/perl5/5.8.0/i486-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/j2sdk1.4.2_01/.systemPrefs /usr/lib/j2sdk1.4.2_01/.systemPrefs/.systemRootModFile /usr/lib/j2sdk1.4.2_01/.systemPrefs/.system.lock /usr/lib/python2.3/site-packages/freeze/.cvsignore
/usr/lib/php/.registry /usr/lib/j2sdk1.4.2_01/.systemPrefs

Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero

Checking `sniffer'... not tested: can't exec ./ifpromisc

Checking `wted'... not tested: can't exec ./chkwtmp

Checking `z2'... not tested: can't exec ./chklastlog


Is my system compromised and what can i do to fix it? :(

XavierP 04-11-2004 09:00 AM

Your original post wasn't in General, it was in Linux-General. If you really want your post to be moved, report it to a moderator and ask for it to be moved.

Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

http://www.linuxquestions.org/rules.php

Capt_Caveman 04-11-2004 05:51 PM

Thought i'd move this here from general:
That's why there are moderators and it would more accurately double posting rather than moving.

Thread Closed - If you would like the orginal thread moved, report it to the Linux - General moderators and request that it be moved here.

Please direct any replies to the original thread:
http://www.linuxquestions.org/questi...656#post871656


All times are GMT -5. The time now is 06:28 PM.