Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-16-2002, 12:12 PM
|
#1
|
LQ Newbie
Registered: Oct 2002
Location: 808 Ridge Drive apt #110 Dekalb IL-60115
Distribution: RedHat 7.2
Posts: 11
Rep:
|
hostname changed. was i hacked????????
Iam confused. Last night i turned my redhat 7.2 system on as root and forgot to shutdown and today morning when i rebooted ,the system had to do root file system check because it was not properly shutdown(i turned the power off button)i have a differnet hostname (the new hostname is x1-6-00-e0-4c-03-2e-5e) was i hacked or is there any loss of data due to root file system check? how do i know if i my system was abused? BTW i was tweaking with postgresql server (port 5432) yesterday. could that be the reason?i run apache webserver and tomact server as root. and how do i change my hostname back to what i want.all other services like webserver are working fine.please suggest me what to do.
thanks in advance.
|
|
|
10-16-2002, 12:20 PM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
nah i doubt it... you're on ADSL i take it? try running ifconfig and i *think* that you'll see that your mac address is used as your hostname by the ISP, maybe it was their MAC, i can't remember... happened to me once i'm sure.
|
|
|
10-16-2002, 12:29 PM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
And wrt "how do I know if my system was abused?" search this forum you will, for "integrity check" "rootkit" "hacked" "chkrootkit" "sans" "cert". Weird it would be if no results turn up, a security forum, this being.
|
|
|
10-16-2002, 01:14 PM
|
#4
|
LQ Newbie
Registered: Oct 2002
Location: 808 Ridge Drive apt #110 Dekalb IL-60115
Distribution: RedHat 7.2
Posts: 11
Original Poster
Rep:
|
Hello acid_kewpie and thanks to both or you for replying.
Iam using at&t cable modem and not ADSL and i dont know if at&t uses the mac address as the hostname? any way iam at work so i will go home and check ifconfig to check my mac address.
|
|
|
10-16-2002, 07:16 PM
|
#5
|
LQ Newbie
Registered: Oct 2002
Location: 808 Ridge Drive apt #110 Dekalb IL-60115
Distribution: RedHat 7.2
Posts: 11
Original Poster
Rep:
|
acid_kewpie i use at&t cable modem(dhcp service) and as suggested by you , i executed ifconfig and my eth0(nic) HWaddr: 00-E0-4C-03-2E-5E and the hostname that i get (by hostname command) is x1-6-00-e0-4c-03-2e-5e. yes, i can see that part of my hostname has my mac address. and my /etc/hosts file has a line: 127.0.0.1 localhost.localdomain localhost
and /etc/sysconfig/network has NETWORKING=yes and HOSTNAME=localhost.localdomain. so what does this whole thing mean and why has my hostname suddenly changed? can i change my hostname by sethostname command and if i do that will it effect any of my netwoking services? thanks a lot and sorry for troubling with questions( im a newbie!!!!!!!!!!!)
|
|
|
10-16-2002, 08:45 PM
|
#6
|
LQ Newbie
Registered: Oct 2002
Location: 808 Ridge Drive apt #110 Dekalb IL-60115
Distribution: RedHat 7.2
Posts: 11
Original Poster
Rep:
|
i ran chkrootkit and found everything ok except these lines. How do i interpret them?
(1) Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.0/i386-linux/.packlist /usr/lib/mozilla/plugins/java2/bin/.java_wrapper
(2) eth0 is not promisc
(3) Checking `wted'... 1 deletion(s) between Mon Oct 7 08:32:31 2002 and Mon Oct 7 08:36:12 2002
1 deletion(s) between Thu Oct 10 16:10:56 2002 and Fri Oct 11 21:50:46 2002
nothing deleted
(4) Checking `z2'... user root deleted or never loged from lastlog!
thanks for your patience.
|
|
|
10-17-2002, 08:24 AM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
1. Dotfile from the looks of the name a false positive. Seen a lot on boxes with for instance Perl installed as well.
2. Your NIC is not listening to traffic not destined for itself. Good.
3. Wted. Tool to edit wtmp entries. Verify running "last -aix" to see all logins from the start of wtmp, and ac --complain to get overview of missing login records. Although missing login records itself don't necessarily mean you're box is cracked you should investigate manually.
4. If running "lastlog" manually shows root never logged in then you've got a problem. If you didn't install an integrity checker like Aide, Samhain or Tripwire (everyone should have one of those) you can still check (only currently installed files tho) running "rpm -Va" if the rpm database is not "edited" as well. But if you didn't install an integrity checker you'll never know.
Hmm. If you have more questions on security I would suggest opening a separate thread in the security foruma dn keep your network probs here unless theyre solved already.
|
|
|
07-23-2004, 12:34 PM
|
#8
|
Member
Registered: Jul 2003
Distribution: Fedora Core 2, RH 9
Posts: 33
Rep:
|
Quote:
Originally posted by Sridhar Guntur
(4) Checking `z2'... user root deleted or never loged from lastlog!
[/B]
|
After doing a fresh kerrnel compile, I had never actually logged in as root, I had only used 'su' to do root tasks, so lastlog was showing **Never logged in** for root. After actually logging in as user root from a console, lastlog now shows the time of this login and chkrootkit does not display this message anymore.
|
|
|
All times are GMT -5. The time now is 03:08 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|