LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-07-2006, 10:51 AM   #1
vharishankar
Senior Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 3,178
Blog Entries: 4

Rep: Reputation: 138Reputation: 138
Could my machine have got cracked?


Owing to a slight mistake on my part, I had disabled the firewall in my local machine, exposing the running Apache webserver and mysql server to the internet. I have a static IP address on my machine.

I didn't really notice that the firewall was disabled until I saw that an unusual amount of network traffic was going on even when I wasn't browsing. It was both incoming and outgoing traffic and browsing had become very slow.

Since then I've restarted the firewall (iptables) and the network activity is back to normal. But since my server running was exposed to the internet on a static IP, would there be a chance I might have been hacked or somebody might have gained a backdoor to my system?

I don't normally browse as root and I am logged in as a normal user.

I am running Debian.

Last edited by vharishankar; 09-07-2006 at 10:54 AM.
 
Old 09-07-2006, 11:40 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
since my server running was exposed to the internet on a static IP, would there be a chance I might have been hacked or somebody might have gained a backdoor to my system?
Standard drill, check your system, check out:
- Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html

Basically:
- how long was the box exposed? (gives period to check),
- what publicly accessable daemons where running during that period?,
- what do your syslog and daemon logs say?,
- any auth data (passwd, group, shadow) changed/added?,
- any login attempts recorded?,
- what does your distro's package manager say (debsums)?
- what does your file integrity checker (if installed) say?
- what do Chkrootkit and/or Rootkit Hunter say?

In the event of uncertainty, do you have backups to verify integrity with?
 
Old 09-07-2006, 10:08 PM   #3
vharishankar
Senior Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 3,178

Original Poster
Blog Entries: 4

Rep: Reputation: 138Reputation: 138
Thanks unspawn.

It was probably like that for about an hour or just more than that. Publicly accessible daemons were Apache, MySQL, CUPS, syslogd. Is there any way to get a full list of processes? How do I capture the result of "top"?
 
Old 09-07-2006, 11:18 PM   #4
randyding
Member
 
Registered: May 2004
Posts: 552

Rep: Reputation: 31
This is a script that formats the output of netstat in an easy to read form, it displays all process names that have tcp/udp listening sockets open. Try it and you might be able to tweak it for your own preferences.
Code:
#!/bin/bash

printf "%-6s %-30s %-30s %-16s %-8s %-6s %s\n" "Proto" "Local Address" "Foreign Address" "State" "User" "PID" "Program name"

netstat -patue $1 $2 | sed '1,2d' | while read a b c d e f g h i; do
    if [ -z "$i" ]; then
        # a   b c d              e          f    g    h          i=""
        # udp 0 0 entropy:domain *:*        root 6492 2770/named
        pid="`echo "$h" | cut -d '/' -f 1`"
        name="`echo "$h" | cut -d '/' -f 2`"
        printf "%-6s %-30s %-30s %-16s %-8s %-6s %s\n" "$a" "$d" "$e" "-" "$f" "$pid" "$name"
    else
        # a   b c d              e   f      g    h    i
        # tcp 0 0 entropy:domain *:* LISTEN root 6493 2770/named
        pid="`echo "$i" | cut -d '/' -f 1`"
        name="`echo "$i" | cut -d '/' -f 2`"
        printf "%-6s %-30s %-30s %-16s %-8s %-6s %s\n" "$a" "$d" "$e" "$f" "$g" "$pid" "$name"
    fi
done | sort -g -k 6
Edit: forgot to say, run it as root or all the information will not be displayed

Last edited by randyding; 09-07-2006 at 11:22 PM.
 
Old 09-08-2006, 03:32 AM   #5
vharishankar
Senior Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 3,178

Original Poster
Blog Entries: 4

Rep: Reputation: 138Reputation: 138
Thanks randyding.
 
Old 09-08-2006, 03:43 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Publicly accessible daemons were Apache, MySQL, CUPS, syslogd.
All versions current? Anything running on top of Apache? Any PHP-based blogs, wiki's or like that?


Is there any way to get a full list of processes?
As root: "ps axfwwwe" should give the full list if there's no foul play.


How do I capture the result of "top"?
As root: "top -bn1".


And how come you haven't answered the other questions?
 
Old 09-08-2006, 04:26 AM   #7
vharishankar
Senior Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 3,178

Original Poster
Blog Entries: 4

Rep: Reputation: 138Reputation: 138
Problem is I'm a newbie when it comes to hardcore security issues.

I've never run my own public server and the home server I'm using is just for local development. I've just used the firewall (guarddog) to block out every outgoing connection. That's all.

So far things look fine to me. I did a chkrootkit once and didn't turn up anything suspicious.

I checked the Apache (version 2.0.55) logs, but didn't find suspicious IPs recorded there. Just 127.0.0.1

Here's the output of top:
Code:
top - 14:58:04 up  6:33,  1 user,  load average: 0.22, 0.35, 0.31
Tasks:  88 total,   1 running,  87 sleeping,   0 stopped,   0 zombie
Cpu(s): 10.0%us,  1.3%sy,  0.0%ni, 86.9%id,  0.9%wa,  0.1%hi,  0.8%si,  0.0%st
Mem:    516692k total,   506508k used,    10184k free,    73508k buffers
Swap:  1036140k total,      160k used,  1035980k free,   202108k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
    1 root      16   0  1932  660  560 S  0.0  0.1   0:00.96 init
    2 root      34  19     0    0    0 S  0.0  0.0   0:00.01 ksoftirqd/0
    3 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
    4 root      10  -5     0    0    0 S  0.0  0.0   0:00.29 events/0
    5 root      10  -5     0    0    0 S  0.0  0.0   0:00.01 khelper
    6 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread
    8 root      10  -5     0    0    0 S  0.0  0.0   0:00.23 kblockd/0
    9 root      20  -5     0    0    0 S  0.0  0.0   0:00.00 kacpid
  158 root      15   0     0    0    0 S  0.0  0.0   0:00.37 pdflush
  159 root      15   0     0    0    0 S  0.0  0.0   0:00.44 pdflush
  161 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 aio/0
  160 root      15   0     0    0    0 S  0.0  0.0   0:00.54 kswapd0
  748 root      10  -5     0    0    0 S  0.0  0.0   0:00.01 kseriod
 1537 root      15   0     0    0    0 S  0.0  0.0   0:00.00 khpsbpkt
 1538 root      15   0     0    0    0 S  0.0  0.0   0:00.00 knodemgrd_0
 1625 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khubd
 1643 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 ata/0
 2046 root      10  -5     0    0    0 S  0.0  0.0   0:00.04 reiserfs/0
 2207 root      18  -4  2588 1036  356 S  0.0  0.2   0:00.57 udevd
 3487 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kgameportd
 3513 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 kpsmoused
 3723 root      20   0     0    0    0 S  0.0  0.0   0:00.00 shpchpd_event
 4860 daemon    16   0  1684  368  272 S  0.0  0.1   0:00.00 portmap
 5352 root      16   0  2680  920  784 S  0.0  0.2   0:00.05 syslogd
 5358 root      16   0  1704  372  300 S  0.0  0.1   0:00.00 klogd
 5394 root      18   0  2856  644  508 S  0.0  0.1   0:00.00 ptal-mlcd
 5397 root      18   0  3624  476  292 S  0.0  0.1   0:00.00 ptal-printd
 5430 root      16   0  5596 2248 1696 S  0.0  0.4   0:00.01 cupsd
 5437 messageb  16   0  2164  772  652 S  0.0  0.1   0:00.00 dbus-daemon-1
 5444 root      16   0  2660  684  524 S  0.0  0.1   0:00.11 dirmngr
 5490 Debian-e  15   0  5392  980  684 S  0.0  0.2   0:00.00 exim4
 5503 root      18   0  2548  820  720 S  0.0  0.2   0:00.00 inetd
 5510 gnunet    18   0 61796  10m 1712 S  0.0  2.1   0:35.85 gnunetd
 5526 root      15   0  2668 1332 1084 S  0.0  0.3   0:00.00 mysqld_safe
 5565 mysql     16   0  115m  16m 4172 S  0.0  3.4   0:01.36 mysqld
 5566 root      15   0  1564  500  428 S  0.0  0.1   0:00.00 logger
 5670 root      18   0 12768 3000 1592 S  0.0  0.6   0:00.03 Xprt
 5721 statd     18   0  2656 1016  900 S  0.0  0.2   0:00.00 rpc.statd
 5735 daemon    16   0  1948  404  292 S  0.0  0.1   0:00.00 atd
 5756 root      16   0  2304  868  692 S  0.0  0.2   0:00.00 cron
 5796 root      16   0  9936 5156 1392 S  0.0  1.0   0:00.05 miniserv.pl
 5807 root      16   0 22548 7840 5004 S  0.0  1.5   0:00.08 apache2
 5833 root      17   0  2648 1160  904 S  0.0  0.2   0:00.00 login
 5851 www-data  16   0 26512  10m 4004 S  0.0  2.1   0:00.17 apache2
 5852 www-data  16   0 22684 4280 1388 S  0.0  0.8   0:00.00 apache2
 5853 www-data  16   0 26512  10m 3996 S  0.0  2.1   0:00.15 apache2
 5854 www-data  16   0 22684 4280 1388 S  0.0  0.8   0:00.00 apache2
 5855 www-data  18   0 22548 3800  956 S  0.0  0.7   0:00.00 apache2
 5856 hari      15   0  3632 1896 1260 S  0.0  0.4   0:00.00 bash
 6059 hari      20   0  3284 1480 1036 S  0.0  0.3   0:00.00 startx
 6075 hari      16   0  2408  672  552 S  0.0  0.1   0:00.00 xinit
 6076 root      15   0 73240  47m 7372 S  0.0  9.5  11:42.87 Xorg
 6092 hari      16   0  3300 1500 1040 S  0.0  0.3   0:00.01 startkde
 6124 hari      16   0 24132 7284 5800 S  0.0  1.4   0:00.16 kdeinit
 6127 hari      16   0 23928 2856 1656 S  0.0  0.6   0:00.23 dcopserver
 6129 hari      16   0 25644 8508 7176 S  0.0  1.6   0:00.09 klauncher
 6131 hari      15   0 30368  13m  10m S  0.0  2.6   0:00.92 kded
 6136 hari      16   0  1556  348  280 S  0.0  0.1   0:00.03 kwrapper
 6138 hari      16   0 24936 9580 7708 S  0.0  1.9   0:00.15 ksmserver
 6139 hari      15   0 27324  12m   9m S  0.0  2.5   0:12.81 kwin
 6141 hari      15   0 31632  16m  12m S  0.0  3.2   0:14.88 kdesktop
 6143 hari      15   0 33080  16m  12m S  0.0  3.2   2:39.82 kicker
 6149 hari      15   0 21540 7868 5640 S  0.0  1.5   0:00.91 artsd
 6151 hari      15   0 24936 9224 7396 S  0.0  1.8   0:03.28 kaccess
 6154 hari      16   0 28764  14m  11m S  0.0  2.8   0:00.31 kmix
 6158 hari      16   0 29812  15m  12m S  0.0  3.0   0:00.53 kgpg
 6161 hari      16   0 26388  13m  11m S  0.0  2.7   0:23.61 kget
 6162 hari      15   0 22624 7960 6196 S  0.0  1.5   0:46.97 gkrellm
 6180 hari      15   0 31764  12m 9904 S  0.0  2.5   0:02.75 knotify
 6185 hari      16   0 29500  13m  11m S  0.0  2.7   0:00.39 korgac
 6589 root     -51   0 12320 6660 4968 S  0.0  1.3   0:00.30 artsd
 6621 root      16   0  1576  492  420 S  0.0  0.1   0:00.00 getty
 6627 root      16   0  1572  488  420 S  0.0  0.1   0:00.00 getty
 6628 root      16   0  1572  488  420 S  0.0  0.1   0:00.00 getty
 6629 root      16   0  1576  492  420 S  0.0  0.1   0:00.00 getty
 6630 root      16   0  1576  492  420 S  0.0  0.1   0:00.00 getty
 7084 hari      16   0 16728 3176 2416 S  0.0  0.6   0:00.00 kdesud
 7326 www-data  16   0 22548 3800  956 S  0.0  0.7   0:00.00 apache2
 7330 www-data  16   0 22548 3800  956 S  0.0  0.7   0:00.00 apache2
 7364 hari      17   0 24336 7008 5492 S  0.0  1.4   0:00.00 kio_file
 7382 hari      16   0 26808  12m  10m S  0.0  2.6   0:00.22 kio_uiserver
11174 hari      15   0  156m  75m  22m S  0.0 14.9  10:33.16 firefox-bin
11179 hari      16   0  4120 2400 1868 S  0.0  0.5   0:00.05 gconfd-2
12627 hari      15   0 30480  14m  11m S  0.0  2.9   0:01.32 konsole
12628 hari      15   0  3620 1924 1296 S  0.0  0.4   0:00.00 bash
12632 root      16   0  2828 1072  860 S  0.0  0.2   0:00.00 su
12634 root      16   0  3104 1624 1264 S  0.0  0.3   0:00.00 bash
12662 root      15   0  2228 1024  764 R  0.0  0.2   0:00.00 top

Last edited by vharishankar; 09-08-2006 at 04:29 AM.
 
Old 09-08-2006, 06:09 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Problem is I'm a newbie when it comes to hardcore security issues.
With all due respect, but the problem is you're hiding behind the newbie facade and saying it's "hardcore" only makes it harder for yourself and distracts from what you should do. You've been provided with enough means to return information even *if* you where clueless: this means you either didn't read the reply in full (then read again) or understand what it's about (then ask), or you are too stubborn or think you know it better (then you're SOL), don't have a sense of priority (again SOL) or don't have the will or urge to make sure your box is OK (SOL too).


So far things look fine to me.
The difference between things "looking fine" and making certain things are fine is the difference between what I asked you to do (lotsa stuff) and what nfo you returned (not enough). Without answering all questions in full and returning the requested information I just won't be able to help you.
 
Old 09-08-2006, 06:56 AM   #9
vharishankar
Senior Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 3,178

Original Poster
Blog Entries: 4

Rep: Reputation: 138Reputation: 138
Cool, cool, unSpawn, Sorry for the trouble. I never meant offence. I have no clue where to look for web access logs and such stuff. I looked at /var/log and it confuses me... I'm also not feeling too well at the moment and unable to concentrate on anything and certainly I've never got my head around to understanding the behaviour of daemons.

Again, apologies... but I've been a bit overwhelmed by the amount of information requested.


- how long was the box exposed? (gives period to check),
Already answered.

- what publicly accessable daemons where running during that period?,
Apart from apache, mysqld, exim (i'm not sure of this) and things like portmap, etc. etc. (I've posted the output of top)

- what do your syslog and daemon logs say?,
/var/log/syslog is *huge* (about 211MB) I have no idea what to look for. And it crashes the text editor when I try and open it.

- any auth data (passwd, group, shadow) changed/added?
I have only one user account and password hasn't been changed. Root password is also not changed. (There's a user called "nobody". That's standard isn't it?)

- any login attempts recorded?,
Again, where do I look for this? Also I don't have sshd enabled.

- what does your distro's package manager say (debsums)?
There's no program called debsums

- what does your file integrity checker (if installed) say?
???

- what do Chkrootkit and/or Rootkit Hunter say?
No suspicious activity found.


I can post daemon.log here, but it's a bit too big.

Last edited by vharishankar; 09-08-2006 at 07:11 AM.
 
Old 09-08-2006, 07:47 AM   #10
vharishankar
Senior Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 3,178

Original Poster
Blog Entries: 4

Rep: Reputation: 138Reputation: 138
removed. sorry, was feeling a bit irritable and under the weather when posting this.

Last edited by vharishankar; 09-08-2006 at 08:23 AM.
 
Old 09-08-2006, 07:55 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Sorry for the trouble. I never meant offence.
No need to apologise: you haven't offended me in any way. As fellow Linux user, as fellow LQ member and as LQ Linux Security forum moderator I am bound to take care of security incidents. My first concern is to have those handled decisively, efficiently and without ambiguity. Sometimes that means prodding on unwilling cattle :-]


I have no clue where to look for web access logs and such stuff.
Check /etc/syslog.conf for logfiles in use and the configuration files of running daemons for where they log to. (A quick and dirty way could be to start checking files from running as root "lsof -n +D /var/log" if /var/log is your main logfile directory but you will miss logs that aren't kept open, so it isn't really advisable.)


- what publicly accessable daemons where running during that period?,
Apart from apache, mysqld, exim (i'm not sure of this) and things like portmap, etc. etc.

The worst thing would be to take this and your "top" output and say it looks good w/o supplying the means to confirm that. (The only way is to examine the kernel and authentication databases for tampering, network connection, IDS and firewall logging information for "wierd" connections, process output for unwanted ones, file systems for changes and anomalies like binaries and setuid-root files in accessable temp dirs.)
After checking your logfiles (re)read the CERT Intruder Detection Checklist because it lists commands with which you can make the situation a bit more clear.


- what do your syslog and daemon logs say?,
/var/log/syslog is *huge* I have no idea what to look for.

There's no easy egrep regex to give for that. Start with something like egrep -i "[[:blank:]](err|fail|warn)" logfile and pipe through an egrep -v with terms you don't want to see like device and module errors. Iterate and adjust.


- any login attempts recorded?,
Again, where do I look for this? I don't have ssh enabled.

Like the CERT link says: the "last" command to see users that logged in (nice if you don't log in at four o'clock in the morning), "lastb" for failed logins (if enabled), "lastlog -t 5" for an overview of per-account logins over the last five days (-t 5), Chkrootkit's chkutmp and chkwtmp for consistency check, /var/(log|adm)/secure if in use.


- what does your distro's package manager say (debsums)?
There's no program called debsums

If it ain't there there's not much you can do about that.


- what does your file integrity checker (if installed) say?
???

I said "if installed".


- any auth data (passwd, group, shadow) changed/added?
I have only one user account and password hasn't been changed. Root password is also not changed.

OK. Good.


- what do Chkrootkit and/or Rootkit Hunter say?
No suspicious activity found.

OK. Good.
 
Old 09-08-2006, 08:01 AM   #12
vharishankar
Senior Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 3,178

Original Poster
Blog Entries: 4

Rep: Reputation: 138Reputation: 138
Thanks unSpawn. I got a bit upset by your response. I'm really trying hard to concentrate, but with a cold in my head, it's pretty hard and I'm in a weakened condition now... irritable and all.

I appreciate your help. Regards.
 
Old 09-08-2006, 08:02 AM   #13
vharishankar
Senior Member
 
Registered: Dec 2003
Distribution: Debian
Posts: 3,178

Original Poster
Blog Entries: 4

Rep: Reputation: 138Reputation: 138
lastb gives me this output
Code:
hari                                   Fri Aug 18 13:29 - 13:29  (00:00)
hari                                   Fri Aug 18 13:29 - 13:29  (00:00)
UNKNOWN                                Wed Aug  9 16:19 - 16:19  (00:00)
UNKNOWN                                Wed Aug  9 08:22 - 08:22  (00:00)
UNKNOWN                                Wed Aug  9 08:22 - 08:22  (00:00)
hari                                   Tue Aug  8 08:16 - 08:16  (00:00)

btmp begins Tue Aug  8 08:16:49 2006
This is the output of last
Code:
hari     tty1                          Fri Sep  8 09:16   still logged in
reboot   system boot  2.6.16-1-k7      Fri Sep  8 09:16 - 18:37  (09:20)
hari     tty1                          Thu Sep  7 19:37 - down   (03:26)
reboot   system boot  2.6.16-1-k7      Thu Sep  7 19:36 - 23:03  (03:26)
hari     tty1                          Thu Sep  7 11:19 - down   (06:47)
reboot   system boot  2.6.16-1-k7      Thu Sep  7 11:19 - 18:07  (06:47)
hari     tty1                          Wed Sep  6 11:27 - down   (09:35)
reboot   system boot  2.6.16-1-k7      Wed Sep  6 11:27 - 21:03  (09:35)
hari     tty1                          Tue Sep  5 08:55 - down   (12:12)
reboot   system boot  2.6.16-1-k7      Tue Sep  5 08:55 - 21:08  (12:13)
hari     tty1                          Mon Sep  4 22:03 - down   (00:57)
reboot   system boot  2.6.16-1-k7      Mon Sep  4 22:03 - 23:00  (00:57)
hari     tty1                          Mon Sep  4 08:41 - down   (10:55)
reboot   system boot  2.6.16-1-k7      Mon Sep  4 08:41 - 19:37  (10:55)
hari     tty1                          Sun Sep  3 16:28 - down   (06:28)
reboot   system boot  2.6.16-1-k7      Sun Sep  3 16:28 - 22:57  (06:28)
hari     tty1                          Sun Sep  3 15:17 - down   (00:07)
reboot   system boot  2.6.16-1-k7      Sun Sep  3 15:17 - 15:25  (00:08)
hari     tty1                          Sun Sep  3 10:06 - down   (04:59)
reboot   system boot  2.6.16-1-k7      Sun Sep  3 10:06 - 15:06  (05:00)
hari     tty1                          Sat Sep  2 09:25 - down   (06:52)
reboot   system boot  2.6.16-1-k7      Sat Sep  2 09:25 - 16:18  (06:53)
hari     tty1                          Sat Sep  2 06:42 - down   (01:18)
reboot   system boot  2.6.16-1-k7      Sat Sep  2 06:42 - 08:00  (01:18)
hari     tty1                          Fri Sep  1 09:33 - down   (12:45)
reboot   system boot  2.6.16-1-k7      Fri Sep  1 09:32 - 22:19  (12:46)
hari     tty1                          Thu Aug 31 19:47 - down   (02:07)
reboot   system boot  2.6.16-1-k7      Thu Aug 31 19:47 - 21:54  (02:07)
hari     tty1                          Thu Aug 31 14:40 - down   (03:04)
reboot   system boot  2.6.16-1-k7      Thu Aug 31 14:40 - 17:45  (03:04)
hari     tty1                          Wed Aug 30 10:35 - down   (01:13)
reboot   system boot  2.6.16-1-k7      Wed Aug 30 10:35 - 11:48  (01:13)
hari     tty1                          Tue Aug 29 20:20 - down   (00:43)
reboot   system boot  2.6.16-1-k7      Tue Aug 29 20:19 - 21:03  (00:43)
hari     tty1                          Tue Aug 29 14:15 - down   (02:02)
reboot   system boot  2.6.16-1-k7      Tue Aug 29 14:15 - 16:17  (02:02)
hari     tty1                          Mon Aug 28 10:50 - down   (01:12)
reboot   system boot  2.6.16-1-k7      Mon Aug 28 10:50 - 12:02  (01:12)
hari     tty1                          Sun Aug 27 22:07 - down   (00:36)
reboot   system boot  2.6.16-1-k7      Sun Aug 27 22:06 - 22:43  (00:36)
hari     tty1                          Sun Aug 27 12:10 - down   (01:32)
reboot   system boot  2.6.16-1-k7      Sun Aug 27 12:10 - 13:42  (01:32)
hari     tty1                          Sat Aug 26 21:46 - down   (01:48)
reboot   system boot  2.6.16-1-k7      Sat Aug 26 21:45 - 23:34  (01:48)
hari     tty1                          Sat Aug 26 14:45 - down   (02:05)
reboot   system boot  2.6.16-1-k7      Sat Aug 26 14:45 - 16:51  (02:06)
hari     tty1                          Fri Aug 25 11:10 - down   (02:04)
reboot   system boot  2.6.16-1-k7      Fri Aug 25 11:10 - 13:15  (02:04)
hari     tty1                          Thu Aug 24 11:06 - down   (08:14)
reboot   system boot  2.6.16-1-k7      Thu Aug 24 11:06 - 19:21  (08:14)
hari     tty1                          Thu Aug 24 08:25 - down   (01:51)
reboot   system boot  2.6.16-1-k7      Thu Aug 24 08:25 - 10:17  (01:51)
hari     tty1                          Wed Aug 23 10:54 - down   (02:19)
reboot   system boot  2.6.16-1-k7      Wed Aug 23 10:53 - 13:13  (02:19)
hari     tty1                          Tue Aug 22 17:08 - down   (02:58)
reboot   system boot  2.6.16-1-k7      Tue Aug 22 17:08 - 20:07  (02:58)
reboot   system boot  2.6.16-1-k7      Tue Aug 22 17:07 - 17:07  (00:00)
hari     tty1                          Mon Aug 21 10:09 - down   (02:44)
reboot   system boot  2.6.16-1-k7      Mon Aug 21 10:08 - 12:53  (02:44)
hari     tty1                          Sun Aug 20 12:03 - down   (06:45)
reboot   system boot  2.6.16-1-k7      Sun Aug 20 12:03 - 18:49  (06:46)
hari     tty1                          Sun Aug 20 11:00 - crash  (01:02)
reboot   system boot  2.6.16-1-k7      Sun Aug 20 11:00 - 18:49  (07:49)
reboot   system boot  2.6.16-1-k7      Sun Aug 20 10:59 - 10:59  (00:00)
hari     tty1                          Fri Aug 18 13:29 - down   (08:07)
reboot   system boot  2.6.16-1-k7      Fri Aug 18 13:28 - 21:36  (08:08)
hari     tty1                          Fri Aug 18 13:27 - down   (00:00)
reboot   system boot  2.6.16-1-k7      Fri Aug 18 13:26 - 13:27  (00:00)
hari     tty1                          Fri Aug 18 08:20 - down   (03:28)
reboot   system boot  2.6.16-1-k7      Fri Aug 18 08:20 - 11:49  (03:28)
hari     tty1                          Wed Aug 16 14:24 - down   (04:45)
reboot   system boot  2.6.16-1-k7      Wed Aug 16 14:24 - 19:10  (04:46)
hari     tty1                          Wed Aug 16 14:22 - down   (00:00)
reboot   system boot  2.6.16-1-k7      Wed Aug 16 14:22 - 14:22  (00:00)
hari     tty1                          Tue Aug 15 10:39 - down   (06:46)
reboot   system boot  2.6.16-1-k7      Tue Aug 15 10:39 - 17:25  (06:46)
hari     tty1                          Tue Aug 15 10:37 - down   (00:00)
reboot   system boot  2.6.16-1-k7      Tue Aug 15 10:37 - 10:37  (00:00)
hari     tty1                          Mon Aug 14 14:59 - down   (10:01)
reboot   system boot  2.6.16-1-k7      Mon Aug 14 14:58 - 01:00  (10:01)
hari     tty1                          Mon Aug 14 10:54 - down   (02:47)
reboot   system boot  2.6.16-1-k7      Mon Aug 14 10:54 - 13:41  (02:47)
hari     tty1                          Fri Aug 11 10:22 - down   (00:08)
reboot   system boot  2.6.16-1-k7      Fri Aug 11 10:21 - 10:30  (00:08)
reboot   system boot  2.6.16-1-k7      Thu Aug 10 22:34 - 22:34  (00:00)
hari     tty1                          Thu Aug 10 18:04 - down   (00:43)
reboot   system boot  2.6.16-1-k7      Thu Aug 10 18:04 - 18:48  (00:43)
hari     tty1                          Thu Aug 10 11:57 - down   (02:09)
reboot   system boot  2.6.16-1-k7      Thu Aug 10 11:57 - 14:06  (02:09)
hari     tty1                          Thu Aug 10 08:29 - down   (01:22)
reboot   system boot  2.6.16-1-k7      Thu Aug 10 08:29 - 09:51  (01:22)
reboot   system boot  2.6.16-1-k7      Thu Aug 10 08:28 - 08:28  (00:00)
hari     tty1                          Wed Aug  9 16:19 - down   (04:17)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 16:19 - 20:36  (04:17)
hari     tty1                          Wed Aug  9 16:15 - down   (00:02)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 16:15 - 16:17  (00:02)
hari     tty1                          Wed Aug  9 13:31 - down   (01:19)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 13:31 - 14:50  (01:19)
hari     tty1                          Wed Aug  9 13:28 - down   (00:01)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 13:28 - 13:30  (00:01)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 13:27 - 13:27  (00:00)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 13:26 - 13:26  (00:00)
hari     tty1                          Wed Aug  9 11:03 - down   (02:10)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 11:03 - 13:13  (02:10)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 11:02 - 11:02  (00:00)
hari     tty1                          Wed Aug  9 08:23 - down   (00:50)
reboot   system boot  2.6.16-1-k7      Wed Aug  9 08:21 - 09:13  (00:51)
hari     tty1                          Tue Aug  8 20:37 - down   (01:43)
reboot   system boot  2.6.16-1-k7      Tue Aug  8 20:37 - 22:21  (01:43)
hari     tty1                          Tue Aug  8 16:32 - down   (02:10)
reboot   system boot  2.6.16-1-k7      Tue Aug  8 16:32 - 18:43  (02:10)
hari     tty1                          Tue Aug  8 13:16 - down   (02:53)
reboot   system boot  2.6.16-1-k7      Tue Aug  8 13:16 - 16:09  (02:53)
hari     tty1                          Tue Aug  8 08:16 - down   (00:59)
reboot   system boot  2.6.16-1-k7      Tue Aug  8 08:16 - 09:16  (00:59)
reboot   system boot  2.6.16-1-k7      Tue Aug  8 08:15 - 08:15  (00:00)
hari     tty1                          Mon Aug  7 19:54 - down   (00:26)
reboot   system boot  2.6.16-1-k7      Mon Aug  7 19:53 - 20:20  (00:27)
hari     tty1                          Mon Aug  7 22:44 - down   (-3:-27)
reboot   system boot  2.6.16-1-k7      Mon Aug  7 22:44 - 19:16  (-3:-27)
hari     tty1                          Mon Aug  7 19:16 - down   (02:55)
reboot   system boot  2.6.16-1-k7      Mon Aug  7 19:16 - 22:12  (02:55)
hari     tty1                          Sun Aug  6 19:37 - down   (00:51)
reboot   system boot  2.6.16-1-k7      Sun Aug  6 19:36 - 20:28  (00:51)
hari     tty1                          Sun Aug  6 15:39 - crash  (03:57)
reboot   system boot  2.6.16-1-k7      Sun Aug  6 15:39 - 20:28  (04:48)
reboot   system boot  2.6.16-1-k7      Sun Aug  6 15:37 - 15:37  (00:00)
hari     tty1                          Sat Aug  5 17:58 - down   (00:01)
reboot   system boot  2.6.16-1-k7      Sat Aug  5 17:58 - 18:00  (00:01)
hari     tty1                          Sat Aug  5 13:35 - down   (00:40)
reboot   system boot  2.6.16-1-k7      Sat Aug  5 13:35 - 14:16  (00:40)
hari     tty1                          Sat Aug  5 09:23 - 10:23  (01:00)
reboot   system boot  2.6.16-1-k7      Sat Aug  5 09:22 - 10:24  (01:01)
reboot   system boot  2.6.16-1-k7      Sat Aug  5 09:21 - 09:21  (00:00)
reboot   system boot  2.6.16-1-k7      Sat Aug  5 09:20 - 09:20  (00:00)
reboot   system boot  2.6.16-1-k7      Sat Aug  5 09:19 - 09:19  (00:00)
hari     tty1                          Fri Aug  4 20:11 - down   (00:07)
reboot   system boot  2.6.16-1-k7      Fri Aug  4 20:11 - 20:18  (00:07)
hari     tty1                          Fri Aug  4 09:42 - down   (10:03)
reboot   system boot  2.6.16-1-k7      Fri Aug  4 09:41 - 19:46  (10:04)

wtmp begins Fri Aug  4 09:41:54 2006

Last edited by vharishankar; 09-08-2006 at 08:04 AM.
 
Old 09-08-2006, 08:19 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Login errors from last august. Good.
Take your time gathering info, but keep it flowing and ask if anything is unclear.
 
Old 09-08-2006, 08:25 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Uh. Forgot to mention. Narrow down your search to say one hour before the event and one day after correcting the error.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
help, I've been hacked lababidi Linux - Security 4 07-28-2005 04:09 PM
hacked! I_AM Linux - Security 5 06-09-2005 05:26 PM
am i being hacked? issey Linux - Newbie 3 06-08-2005 08:47 AM
Have I been HACKED?? fenice1976 Linux - Software 3 07-05-2004 08:00 PM
i think i've been hacked! safil Linux - Security 7 11-02-2003 10:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration