Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68
Rep:
Wondering if my machine is Comromised??
Hello All,
I have almost everything in place on my machine to prevent unauthorized access and so far everything has been great, meaning blocked all brute force attacks, kept the system up-to-date, etc..However I just noticed a home directory created in October 17 for a user called "goetz" who never logged in. Although there is only a temp folder under the directory, I am a little paranoid about this anonymous dir. I tried looking into almost every log file, I could not see anything. Strangely though everything under /var/log covers events from December through today.
I know it may be hard to tell, or very easy to tell, do you all think my machine had been compromised? If so, what can I do to confirm it.
Any help would be greatly appreciated..
Strangely though everything under /var/log covers events from December through today.
What about the older rotated logs like /var/log/messages.1 or /var/log/secure.1 ?
Although there is only a temp folder under the directory, I am a little paranoid about this anonymous dir
Anything in it? Make sure everything is normal and you don't have odd files like '...' or hidden files. Also what does 'find / -newer /home/goetz -user goetz' turn up?
Are there any other possible explanations, like other users/admins who could have added it? Have you installed any software around that time period?
Is there anything it the bash history of goetz?
Wrt to security, do you have a file alteration detector like tripwire or samhain installed on the system?
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68
Original Poster
Rep:
Thanks for the reply Capt_Caveman,
I am running on mandriva 10.2.
Details of log files are as follows:
-rw-r----- 1 root adm 4206 Jan 8 04:02 /var/log/auth.log.1.gz
-rw-r----- 1 root adm 2090 Jan 1 04:02 /var/log/auth.log.2.gz
-rw-r----- 1 root adm 8083 Dec 25 04:02 /var/log/auth.log.3.gz
-rw-r----- 1 root adm 4614 Dec 18 04:02 /var/log/auth.log.4.gz
-rw-r----- 1 root adm 7512 Dec 12 04:02 /var/log/auth.log.5.gz
-rw-r----- 1 root adm 180589 Jan 8 04:02 /var/log/boot.log.1.gz
-rw-r----- 1 root adm 175679 Jan 1 04:02 /var/log/boot.log.2.gz
-rw-r----- 1 root adm 175009 Dec 25 04:02 /var/log/boot.log.3.gz
-rw-r----- 1 root adm 147799 Dec 18 04:02 /var/log/boot.log.4.gz
-rw-r----- 1 root adm 176869 Dec 12 04:02 /var/log/boot.log.5.gz
-rw-r----- 1 root adm 20 Jan 8 04:02 /var/log/explanations.1.gz
-rw-r----- 1 root adm 20 Jan 1 04:02 /var/log/explanations.2.gz
-rw-r----- 1 root adm 123 Dec 25 04:02 /var/log/explanations.3.gz
-rw-r----- 1 root adm 20 Dec 18 04:02 /var/log/explanations.4.gz
-rw-r----- 1 root adm 757 Dec 12 04:02 /var/log/explanations.5.gz
-rw-r----- 1 root adm 251 Jan 1 04:02 /var/log/lastlog.1.gz
-rw-r----- 1 root adm 234700 Jan 8 04:02 /var/log/messages.1.gz
-rw-r----- 1 root adm 238741 Jan 1 04:02 /var/log/messages.2.gz
-rw-r----- 1 root adm 220320 Dec 25 04:02 /var/log/messages.3.gz
-rw-r----- 1 root adm 183026 Dec 18 04:02 /var/log/messages.4.gz
-rw-r----- 1 root adm 261550 Dec 12 04:02 /var/log/messages.5.gz
-rw-r----- 1 root adm 7540 Jan 8 04:02 /var/log/rpmpkgs.1.gz
-rw-r----- 1 root adm 7528 Jan 1 04:02 /var/log/rpmpkgs.2.gz
-rw-r----- 1 root adm 7528 Dec 25 04:02 /var/log/rpmpkgs.3.gz
-rw-r----- 1 root adm 7528 Dec 18 04:02 /var/log/rpmpkgs.4.gz
-rw-r----- 1 root adm 102 Sep 14 04:02 /var/log/scrollkeeper.log.1.gz
-rw-r----- 1 root adm 341 May 29 2005 /var/log/scrollkeeper.log.2.gz
-rw-r----- 1 root adm 3107 Jan 8 04:02 /var/log/secure.1.gz
-rw-r----- 1 root adm 965 Jan 1 04:02 /var/log/secure.2.gz
-rw-r----- 1 root adm 6511 Dec 25 04:02 /var/log/secure.3.gz
-rw-r----- 1 root adm 3854 Dec 18 04:02 /var/log/secure.4.gz
-rw-r----- 1 root adm 5020 Dec 12 04:02 /var/log/secure.5.gz
-rw-r----- 1 root adm 717233 Jan 1 04:02 /var/log/security.log.1.gz
-rw-r----- 1 root adm 711510 Dec 1 04:02 /var/log/security.log.2.gz
-rw-r----- 1 root adm 731439 Nov 1 04:02 /var/log/security.log.3.gz
-rw-r----- 1 root adm 258020 Jan 8 04:02 /var/log/syslog.1.gz
-rw-r----- 1 root adm 263086 Jan 1 04:02 /var/log/syslog.2.gz
-rw-r----- 1 root adm 240116 Dec 25 04:02 /var/log/syslog.3.gz
-rw-r----- 1 root adm 206025 Dec 18 04:02 /var/log/syslog.4.gz
-rw-r----- 1 root adm 289558 Dec 12 04:02 /var/log/syslog.5.gz
-rw-r----- 1 root adm 68 Jan 8 04:02 /var/log/urpmi.log.1.gz
-rw-r----- 1 root adm 452 Jan 3 04:02 /var/log/urpmi.log.2.gz
-rw-r----- 1 root adm 90 Dec 20 04:02 /var/log/urpmi.log.3.gz
-rw-r----- 1 root adm 658 Dec 7 04:02 /var/log/urpmi.log.4.gz
-rw-r----- 1 root adm 256 Jan 8 04:02 /var/log/user.log.1.gz
-rw-r----- 1 root adm 248 Jan 1 04:02 /var/log/user.log.2.gz
-rw-r----- 1 root adm 124 Dec 25 04:02 /var/log/user.log.3.gz
-rw-r----- 1 root adm 20 Dec 18 04:02 /var/log/user.log.4.gz
-rw-r----- 1 root adm 883 Dec 12 04:02 /var/log/user.log.5.gz
-rw-r----- 1 root adm 5910 Jan 1 04:02 /var/log/wtmp.1.gz
There is also security.log.4 which was created Oct 1,2005, but it only shows the world writable files.
As for goetz's home dir, ls -all /home/goetz give me:
drwxr-xr-x 3 goetz goetz 4096 Oct 17 21:57 ./
drwxr-xr-x 11 root root 4096 Oct 17 21:57 ../
-rw-r--r-- 1 goetz goetz 24 Oct 17 21:57 .bash_logout
-rw-r--r-- 1 goetz goetz 191 Oct 17 21:57 .bash_profile
-rw-r--r-- 1 goetz goetz 231 Oct 17 21:57 .bashrc
-rw-r--r-- 1 goetz goetz 3729 Oct 17 21:57 .screenrc
drwx------ 2 goetz goetz 4096 Oct 17 21:57 tmp/
As for other possible explanations:
I am the only admin on the machine, noone else could have created this.
As far as file alterations go, I have default tool that came with mandriva which notifies root for any alteration. Unfortunately, I stopped paying attention to these emails while ago. Now, when I searched for the emails around october, I am not able to see anything.
If we assume the worst case scenario, I may need to rebuild the system. What do you suggest the easiest way to migrate the existing mysql data(this is my only concern)?
Thanks again..
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68
Original Poster
Rep:
I forgot to add the result for
# find / -newer /home/goetz -user goetz
find: WARNING: Hard link count is wrong for /proc: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.
find: /proc/5520/task/5520/fd/4: No such file or directory
find: /proc/5520/fd/4: No such file or directory
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
