i think i've been hacked!
 

I'm a newbie at linux for about 2 months now (RH9)! But somethings not right. CPU usage is high when I'm idle, and when I go to the RH user manager, how come there are so many system users and groups. I think my problem is that I almost always log in as root. I do that in order to install apps. and programs and also to set settings. Is there any way I can find out if I have been hacked (preferrably gui) and how to get rid of it and keep it from happening again. Thanks! Please keep in mind that I'm still a noob and only know some commandline. I appreciate in advance any advice and help!:newbie: :newbie: :newbie:

There are loads of users and groups for various tasks on RedHat. Don't worry about that. The high CPU usage seems strange - go into a terminal and type "top". That'll tell you what's eating the CPU. Post the output if you can't figure what's going on.
Guy

All commands should be entered, as root, without the outer double quotes and in a xterm, Kterm, gnome-terminal or whatever it's called. The " | tee -a /tmp/log" part dumps the output of the commands in a file called /tmp/log for easy reading and posting.
Note this isn't a complete audit in any way, but unless the system was subverted using a rootkit it should tell us some basic details.

But somethings not right. CPU usage is high when I'm idle,
1. Tell us which processes you have running.
"chkconfig --list 2>&1| awk '{print $1, $7}' | grep :on | tee -a /tmp/log".
This example is for runlevel 5 and should give you a list of services that are supposed to be running. If you're in another runlevel (if you have to start X from the commandline) change the "$7" (runlevel + 2). To find out the runlevel, type "/sbin/runlevel". The second number is the current runlevel.

2. Show us what the top 10 CPU time consuming apps are:
"\ps axhwww -eo %C -eo priority,pid,user,args 2>&1|sort -nr -S1| head -10 | tee -a /tmp/log"

From what your say I can't conclude your box is cracked. If you want to do some minimal investigation, check points 3 to 7 yourself and report anything you think weird:
3. Internet connections in use:
"netstat -anp -A inet 2>&1| tee -a /tmp/log".

4. Interface settings:
"/sbin/ip link show 2>&1| grep -ie PROM | tee -a /tmp/log" or
"/sbin/ifconfig -a 2>&1| grep -ie PROM | tee -a /tmp/log"

5. Passwd logname, home and shell, group groupname and members:
"cat /etc/group 2>&1| cut -d ":" -f 1,4- | tee -a /tmp/log" and
"cat /etc/passwd 2>&1| cut -d ":" -f 1,6- | tee -a /tmp/log"
Last 30 login records:
"last -30 2>&1 | tee -a /tmp/log"
Last 30 login failures:
"lastb -30 2>&1 | tee -a /tmp/log"
System accounts have an UID below a certain number, human accounts and other uprivileged accounts have a higher number. To find out the number, run "grep /etc/login.defs -e ^UID_MIN|awk '{print $2}'". The default is 500.
Logins that should not occur if system account:
"lastlog 2>&1 | grep -v Never | tee -a /tmp/log"

6. System logs.
Find the logs by running "cat /etc/syslog.conf | egrep "^(\*|[a-z])" | awk '{print $2}'" (or look in your system's logdir: /var/log) and inspect the contents for errors or things you cannot understand.

7. Tell us
- if you're running a firewall,
- if you have done some hardening on your box using for instance "Bastille-linux", and
- if you audit your system and system logs using
-- "rpm -Va" to check the state of the files installed by the package manager,
-- a filesystem checker like Aide, Samhain or tripwire,
-- a system checker like Tiger or LSAT or COPS,
-- a log reporter like logwatch, swatch, logsentry.
Anything else. Think applications behaving different, segmentation faults, files disappearing or appearing, etc etc.

how come there are so many system users and groups.
Because a lot of processes do not need to be run with root account privileges.


I think my problem is that I almost always log in as root.
Apart from installing apps and changing settings you must not login as root.
If you need root account access for specific commands, set up "sudo".

>I think my problem is that I almost always log in as root.
If you have been hacked the problem is more likly to be that you are running a default install of redhat without installing security patches often and disabling unneeded services that can be reached from the internet

I'm assuming you didn't plan for your post to look like that and what you posted was supposed to be chkconfig output of 5: on instead.

As a general rule, you should turn off anything that you don't need. For example, if you're not mounting remote NFS shares you won't need netfs, nfslock, autofs. If you don't need portmap and sendmail turn them off, as they both have bad security histories. If you don't have an ISDN connection, then shockingly you don't ISDN. You get the picture. I would leave kudzu, syslog, network, random, keytable, iptables, crond, anacron, xfs on. You can argue that some of them should be off, but I think the good outways the bad with those services.

Also, if you want us to help you out, you'll need to answer the questions that others have posted. It's hard to help when you don't have all the pieces to the puzzle, plus it comes off as rude and inconsiderate when someone has taken the time to respond to your post and you neglect to answer their questions.

RELAX!
 

Don't have a stroke! I tried cutting and pasting from my terminal and my tmp/log and when I did I had difficulties. If I had known my reply would look like that then I would rather not have posted! But anyway, thanks for your help!! Just put down the "Jolt Cola" or "Red Bull"!

I wasn't trying to jump all over you, it's just that your post looked like a bunch of jibberish until I figured out what was going on. BTW, in the future you can make use of the edit button to make changes to your post if you need to.

But you should definitely try and go through the list of things that unSpawn listed in his post. It might not be all that clear what they do, but the results will go a long way in helping us find out if your machine has been compromised or if what you saw is normal. I saw that you did at least check what was turned on with chkconfig , which is good, but there are a lot more things you need to take a look at before you can be at least semi-sure that your system is ok.

That stuff is for sissies. Anything less than a 16oz coffee with a boat-load of sugar in it is small-time in my book. ;)