LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-17-2005, 10:44 PM   #1
Damon Spector
Member
 
Registered: Nov 2004
Distribution: Fedora Core 4
Posts: 61

Rep: Reputation: 15
Hacked or Not


as I was passing by my computer I noticed that the hard drive light was flashing and I could hear the hard drive running but no one had been near the computer for hours. I also saw lights flashing on my access point. Would this mean some one was hacking in to my system or what? if so what do I do?
 
Old 05-17-2005, 11:07 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Not necessarily. There are plenty of house-keeping functions that are run automagically by cron. One of the most common causes is updating the file db used by commands like 'locate'. Next time you see something like that, checkout the output of 'top' and 'ps aux'.

It's probably a good idea to download and run rkhunter or chkrootkit just to be a little more sure though.
 
Old 05-17-2005, 11:14 PM   #3
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,734
Blog Entries: 12

Rep: Reputation: 462Reputation: 462Reputation: 462Reputation: 462Reputation: 462
Try installing "samhain is a daemon that can check file integrity, search the file tree for SUID files, and detect kernel module rootkits"
http://freshmeat.net/projects/samhain/


It checks a few more things than checkrootkit does.
 
Old 05-18-2005, 01:48 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Samhain builds its file integrity db on installation much like tripwire, so if you already have a rootkit or trojaned binary, you're actually going to include it as part of the "known-good" baseline. Plus it's really more of a HIDS. Rkhunter uses a predefined database that's got md5sums for each distro already included for you and is probably a better choice for potential post-compromise rootkit detection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 07:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 01:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 03:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 08:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration