Since you didn't offer any info like changed md5sums or other ways you verified your system, I'm gonna default to compromise mode:
I. If you're already logged in as root, do save the output from "netstat -np", "lsof -n" and "ps axwwwe". Run "find /proc -name exe -maxdepth 2 | xargs -iP cp -afL 'P' /tmp 2>&1|tee /tmp/procs.log". Now bring down the box to runlevel 1 and save another separate copy of "ps axwwwe". *Note if the system has been subverted, no output can be trusted.
II. If you're not logged in as root, bring the box down whichever means you got. If you've got magic sysrq, make sure to sync before you power off.
III. Now shut the box down and do not bring it up again.. Do this now.
IV. If you're no LAN admin, notify him or your IT dept, or whoever is in charge.
If you've got to bring up the box, boot a one floppy distro, a rescue cdr or something like a cdr distro like Knoppix, FIRE, PSK etc etc.
DO NOT boot the kernel from disk, but from the cdr/floppy.
DO NOT mount partitions in read-write mode.
After this all, check your system logs, passwd/group data and verify installed packages for md5sums with those from cdrom or other static means. Post any results out of the ordinary. Now please handle the questions below. Be as verbose as you can, offer any info we haven't thought of you think is necessary.
I just recently built a Mandrake box here at work and we are behind a firewall.
- What kind of LAN, what kind of traffic granted?
- What Mandrake version, any upgrades applies, what services running?
Today I was trying to troubleshoot a problem
Problems usually are what people notice. Please post it (in general) as it could be relevant.
when I noticed an odd job in crontab,
Who is it owned by, what are the contents?
then I noticed a directory called /var/bobsdata
Who is it owned by, what are the contents?
Have I been hacked somehow?
I don't know. Precautions must take precedence over any priorities.
Anyone have any information on how I could've been hacked
We hopefully get over that later on.
|