LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 02-13-2003, 07:05 PM   #1
HwzrHlslndr
Member
 
Registered: Dec 2002
Location: New Hampshire
Distribution: Red Hat 8
Posts: 176

Rep: Reputation: 30
Did I just get hacked?


I need someone who knows what they're doing. Words of reassurance would be welcomed, but please be honest...

I preface this post with the comment that I may be in paranoia mode...

I recently configured Tripwire...

Everything is running fine on this RH8 machine--always has. But the machine just rebooted for no apparent reason! I had LimeWire running and Web Browser and email and a digital camera plugged in that I was trying to set up, but with no luck so far.

Scared the shite out of me when it went to a black screen and then rebooted--probably because I've never had this happen since I built this machine. It has always operated flawlessly.

I ran a tripwire --check and I see some things that concern me, but honestly, I do not yet know how to interpret/read the reports. I am happy to share the results of this tripwire report as long as what is in it is not sensitive info, which it may well be.

Sorry to ramble, but I am just really worried about this event. First time I've considered dumping Linux and I don't like the feeling.

I need a friend here guys and gals!

Thomas
 
Old 02-13-2003, 07:06 PM   #2
HwzrHlslndr
Member
 
Registered: Dec 2002
Location: New Hampshire
Distribution: Red Hat 8
Posts: 176

Original Poster
Rep: Reputation: 30
I am running a firewall with medium security and also a firewall with my router.
 
Old 02-13-2003, 07:34 PM   #3
ferreter
Member
 
Registered: Oct 2002
Location: USA, IL
Distribution: Debian/Gentoo/Slack
Posts: 215

Rep: Reputation: 30
Why don't you go ahead and post that report for tripwire so we can take a look at it. A reboot out of the blue can happen for various reasons. How long had the machine been on before it did that as well. if you do a dmesg, are there any errors on boot up? Thanks.
 
Old 02-13-2003, 07:37 PM   #4
nxny
Member
 
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771

Rep: Reputation: 30
Doesnt sound like it you were hacked at all. Rest assured.

What exactly were you doing to get your camera set up? I think I've seen an 'unrequested' sudden reboot before because I tried to do something I wasnt quite sure about.
 
Old 02-13-2003, 07:47 PM   #5
HwzrHlslndr
Member
 
Registered: Dec 2002
Location: New Hampshire
Distribution: Red Hat 8
Posts: 176

Original Poster
Rep: Reputation: 30
The dmesg command shows nothing that I can see other than some messages about IRQ: have 9; wanted 3. I have never known what these mean, but have seen them before.

I saved the tripwire report into an .SXW file and have tried many times to copy and paste here, but am unable to. Don't know why.
 
Old 02-13-2003, 07:49 PM   #6
HwzrHlslndr
Member
 
Registered: Dec 2002
Location: New Hampshire
Distribution: Red Hat 8
Posts: 176

Original Poster
Rep: Reputation: 30
I have always been able to copy from shell and paste into this forum so I can run the tripwire check again and copy and paste for your info, but I am not sure if the next tripwire report will be the one you want.
 
Old 02-13-2003, 07:55 PM   #7
HwzrHlslndr
Member
 
Registered: Dec 2002
Location: New Hampshire
Distribution: Red Hat 8
Posts: 176

Original Poster
Rep: Reputation: 30
Here is the tripwire report. Had to save it to .txt in order to paste here.

# /usr/sbin/tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
### Warning: File system error.
### Filename: /etc/tripwire/localhost-local.key
### No such file or directory
### Continuing...
Wrote report file: /var/lib/tripwire/report/localhost.localdomain-20030213-19001
2.twr


Tripwire(R) 2.3.0 Integrity Check Report

Report generated by: root
Report created on: Thu 13 Feb 2003 07:00:12 PM EST
Database last updated on: Never

===============================================================================
Report Summary:
===============================================================================

Host name: localhost.localdomain
Host IP address: XXXXXXX (X'd out by me)
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/localhost.localdomain.twd
Command line used: /usr/sbin/tripwire --check

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
* Tripwire Data Files 100 1 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
* Critical configuration files 100 0 0 2
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
* System boot changes 100 4 0 13
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
* Root config files 100 1 2 1

Total objects scanned: 44850
Total violations found: 24

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/log/sa/sa10"
"/var/log/sa/sa11"
"/var/log/sa/sa12"
"/var/log/sa/sa13"

Modified:
"/var/log/gdm/:0.log"
"/var/log/gdm/:0.log.1"
"/var/log/gdm/:0.log.2"
"/var/log/gdm/:0.log.3"
"/var/log/gdm/:0.log.4"
"/var/log/ksyms.0"
"/var/log/ksyms.1"
"/var/log/ksyms.2"
"/var/log/ksyms.3"
"/var/log/ksyms.4"
"/var/log/ksyms.5"
"/var/log/ksyms.6"

-------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/sysconfig)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/sysconfig/hwconf"
"/etc/sysconfig/networking/profiles/default/resolv.conf"

-------------------------------------------------------------------------------
Rule Name: System boot changes (/dev/log)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/dev/log"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/root/.xauthM9qZB4"

Removed:
"/root/. XXXXXXX (X'd out by me)
"/root/. XXXXXXX (X'd out by me)

Modified:
"/root"

===============================================================================
Error Report:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

1. File system error.
Filename: /etc/tripwire/localhost-local.key
No such file or directory

-------------------------------------------------------------------------------
*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
 
Old 02-13-2003, 08:03 PM   #8
Bert
Senior Member
 
Registered: Jul 2001
Location: 406292E 290755N
Distribution: GNU/Linux Slackware 8.1, Redhat 8.0, LFS 4.0
Posts: 1,004

Rep: Reputation: 46
There's nothing funny there I think, but a misconfigured device will lead to a resource conflict, PnP will panic and try to reset by ... err, rebooting usually.

Your camera wanted a higher priority IRQ than it got. It got mad. try rerunning pnpdump.

Bert

edit: actually that modified hwconf and resolv.conf is concerning. Did you do that?

Last edited by Bert; 02-13-2003 at 08:06 PM.
 
Old 02-13-2003, 08:06 PM   #9
ferreter
Member
 
Registered: Oct 2002
Location: USA, IL
Distribution: Debian/Gentoo/Slack
Posts: 215

Rep: Reputation: 30
Berts right on the money more than likely, plus you never setup the tripwire database so the report wouldn't help us anyways. If your paranoid about it get the chkrookit script from sourceforge.net to look for any rootkits.
 
Old 02-13-2003, 08:09 PM   #10
N_A_J_M
Member
 
Registered: Aug 2002
Location: Whangarei New Zealand
Distribution: Slack 8.1
Posts: 300

Rep: Reputation: 30
what has happend to me in the past is when i was plugging something into my usb port my pc rebooted (i think there is a slamm short with the pc case which caused it to do so, sounds more like that could be the trouble
 
Old 02-13-2003, 08:12 PM   #11
HwzrHlslndr
Member
 
Registered: Dec 2002
Location: New Hampshire
Distribution: Red Hat 8
Posts: 176

Original Poster
Rep: Reputation: 30
Thanks guys. My heart is beating again.

I really wasn't doing anything with the camera at thie time that it happened. Previously, I had tried to add it using the GUI, i.e., Start menu > Graphics > Digital Camera Tool > Add camera. It let me find my camera from the list, but only allowed USB and I am trying to use a COM port. So I gave up and fired up LimeWire to grab some music while I thought about the camera thing. I then fired up this forum and was performing a search for Olympus c2020z--my camera. That's when it sh*t the bed.
 
Old 02-13-2003, 08:17 PM   #12
HwzrHlslndr
Member
 
Registered: Dec 2002
Location: New Hampshire
Distribution: Red Hat 8
Posts: 176

Original Poster
Rep: Reputation: 30
Your camera wanted a higher priority IRQ than it got. It got mad. try rerunning pnpdump.

I'm sorry. I missed this earlier. I think there was a timing issue and the post wasn't there when I posted my last message. What do you mean "try rerunning pnpdump?" I'm not even sure what that is.
 
Old 02-13-2003, 08:18 PM   #13
Bert
Senior Member
 
Registered: Jul 2001
Location: 406292E 290755N
Distribution: GNU/Linux Slackware 8.1, Redhat 8.0, LFS 4.0
Posts: 1,004

Rep: Reputation: 46
Have a look on the tripwire site - just to set you mind at ease. And it's a good tool to be familiar with anyways.
Oh and stop using your camera for the time being, until you can tell the BIOS to reset the PnP settings or you've pinned the source of the conflict.

If someone hacks your machine, it won't go straight into dirty reboot. Unless someone's leaning against the power switch

Bert

Ed: The pnpdump command will rewrite the file /etc/isapnp.conf - have a look at the resulting file. I don't have PnP configured directly on my machine so I'm not certain but it's what you need to work out what resources are taken/needed by each device on the bus.

Last edited by Bert; 02-13-2003 at 08:20 PM.
 
Old 02-13-2003, 08:32 PM   #14
HwzrHlslndr
Member
 
Registered: Dec 2002
Location: New Hampshire
Distribution: Red Hat 8
Posts: 176

Original Poster
Rep: Reputation: 30
OK guys, it just did it again, and when it tried to reboot, it wouldn;t... it just kept rebooting over and over again. During this time I unplugged the camera and it still rebooted over and over. I chose a different kernel (from 2.4.19 to 2.4.18) and it still did it over and over again. I finally hit ENTER when the boot message said something about ... shit, I don't know what it said, but I hit enter to do something SAFE, if I recall. I'll kick it around for a while and see if it happens again. Maybe it was the camera, but it was OFF!
 
Old 02-13-2003, 08:35 PM   #15
Bert
Senior Member
 
Registered: Jul 2001
Location: 406292E 290755N
Distribution: GNU/Linux Slackware 8.1, Redhat 8.0, LFS 4.0
Posts: 1,004

Rep: Reputation: 46
It's in the BIOS, not the kernel. What are the PnP options given in your BIOS?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 08:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 02:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 04:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 09:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 07:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 01:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration