I sat down in front of my box today, and some strange things had happened. X had been shut down, and some weird text was typed on the (root!) console prompt. "y0 4r3 h4c3d" or something. I actually had to backspace out this text before typing a command.

I tried to start X, but the X executable was removed. I reinstalled X, and now everything seems in order. I've changed all my passwords and read all logfiles - couldn't find something unusual.

I just can't understand how this could happen. nmap shows that the only open ports on my box are sshd and smtp. This is a fully updated system (Debian unstable) - installed last week. I haven't got a firewall though.

The question is: Is a hacker able to remotely type something on my console screen (this h4xx0r message), or is it more likely that someone has accessed the box physically?

Your question is impossible to answer fully without knowing how likely it is that a hacker got physical access to your box. It is certainly possible that the hacker typed something remotely on your console screen.

Firstly, I suggest you reinstall your box from scratch. If someone has put in a backdoor, just changing your passwords is not enough to stop them getting in again. In addition to this, some trojan may already have been planted and a competent hacker who got root access will have covered his or her tracks by tidying up the log files.

After reinstalling, check security. Install a firewall. Check that versions of sshd and snmpd you are running to make sure there are no known security issues. Run nmap/nessus against your PC to spot anything you've missed.

If someone might have got physical access to your PC, you'll need to take steps to deal with that - securing the location of your PC to prevent further unauthorised physical access.

On the bright side, I would guess the fact that the hacker announced his/her achievement to you at least suggests that nothing too dodgy has been done to your system (i.e. nothing which requires you not to realise you've been hacked to be effective). No point taking risks though.

The question is: Is a hacker
First of all it's not "hacker", it's "cracker".

able to remotely type something on my console screen (this h4xx0r message), or
Defacers are crackers who don't give sh1t about keeping access and do all those mad shouts. Crackers usually will want to keep their activities covert to retain access.
The chance a defacer will hit you and put something on your console I would say is rather small because defacers need public "recognition" to boost their (groups) ego.

is it more likely that someone has accessed the box physically?
Yes, I think that is very likely. How many people do have physical access to your system?


BTW...

some weird text was typed on the (root!) console prompt.
Do you mean at the login prompt, or in an opened root shell?

I tried to start X, but the X executable was removed.
How did you know? I mean, you just couldn't start X, or it barfed out errors, or did you check your package manager to see the package was removed?

I reinstalled X, and now everything seems in order.
One of the worst things to do when trying to assess a system has been compromised is disturb it. Doing so will destroy most possible "evidence" of a breakin.

I've changed all my passwords and read all logfiles - couldn't find something unusual.
Did the contents of the passwd/shadow files changed then?
Did you check the login records (wtmp, lastlog, btmp)? Md5sums?

This is a fully updated system (Debian unstable) - installed last week. I haven't got a firewall though.
Then you got your priorities mixed up. Please invest time in securing and hardening your system before tweaking the pwetty pwetty desktop.

Thank you for your answers.

About ten people have physical access to my system. Some of them could have done this as a stupid joke. The "weird" text was typed in an open root shell.

The startx command gave the output /etc/X11/X no such file. I removed the x-window-system package and reinstalled it.

I know I should have a firewall. I'm so stupid. Haven't fully figured out iptables yet

Haven't fully figured out iptables yet
Then by all means post your questions and how far you've gotten in a new thread. We're here to help...

hmm, try firestarter, i've never really used it myself, but i hear it's a good gui tool for setting up a firewall...

Sounds like it's incredibly likely that you were "hax0red" by someone with physical access. They probably just removed the X binary and typed some goofy text at your prompt. A quick check of the root concole's history probably would have shown rm X somewhere in there.

By the way, remember when installing a system to keep it OFF the network until after you have it locked down. One of my friends found this out the hard way when he connected a Red Had box to the Internet immediately after installing it and it was rooted within 5 minutes (automated cracking tool got lucky).

Make sure you put up a default deny firewall when you first put the box on the network. That should allow you to grab software updates and patch up the security without allowing anyone to attempt to exploit services. Only start SSH and SMTP after the box is fully patched. Remember that you must be running OpenSSH 3.7.1p2 on Linux to be free of currently known exploits.

Oh, and one more thing: if the default MTA for Debian is still Sendmail, rip that sucker out and install something else. Postfix will mimic Sendmail's functionality very closely, without all the security problems. Qmail and Exim are two other alternatives.

You ain't got a little brother that likes to play tricks, do you? In the age before computers, it might have been a dead mouse in your bed, now it's "j0U've h4Xor'ed!" <sigh.....>