Hello
i use Gnu/Linux Mandrake 10 and ADSL provided by Tiscali.
today i kept my home computer on all the day, while i was at work.
and when i came back home, i noticed my ip adress had changed ( i used ifconfig to notice that).
how is it possible?? had my computer been intruded?

i join parts of /var/log/security.log that are stranged.
thanks for your help.

/*Parts of /var/log/security.log*/
Security Warning: the md5 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a backdoor...
- Checksum changed file : /usr/bin/passwd

Security Warning: There are modifications for port listening on your machine :
- Opened ports : tcp 0 0 *:x11 *:* LISTEN 7489/X
- Opened ports : tcp 0 0 *:ipp *:* LISTEN 2721/cupsd
- Closed ports : tcp 0 0 *:32768 *:* LISTEN 2648/X
- Closed ports : tcp 0 0 *:ipp *:* LISTEN 1982/cupsd

(...)

Security Warning: These packages have changed on the system :
(...)
- Newly installed package : passwd-0.68-2.2.100mdk 1094383447

/* result of chkrootkit*/
[root@localhost log]# /usr/local/src/chkrootkit-0.44/chkrootkit passwd
ROOTDIR is `/'
Checking `passwd'... not infected

Well, is chkrootkit really safe? or maybe i am paranoid?

Well, chrootkit is a great tool, not a panacea. You can also try "rootkit hunter".
Anyway, reguarding your logs, they don't look so strange. I mean, they could mean a LOT of bad things, but as far as I can see, it could be the result of an automatic update. If you have automatic updates enabled (I'm not into mandrake so I'm not sure if its possible), maybe it just downloaded the new passwd version.
This is the best case, the worst case may be an intrusion. So my suggestion is, get a safe copy of passwd somewhere and:
keep an eye on the network traffic
install security utilities
don't panic but don't relax too much

PS: reguarding the IP change, i guess your IP is dynamic so maybe you just got disconnected and reconnected with another IP. Nothing to worry about I guess

you Mean your Internet IP ?

my broadband internet ip changes often when the machine or interface is shutdown and dchp runs again. (or when the ISP server goes down and is re-started)

i see no reason why an attacker would want to change your IP....

yes, my internet IP changed while i was not home.
if my interface shut down, ok, the ip adress can change, but in this case, who bring the interface up again? is it done automatically?
moreover i run snort on my linux box. i didn't notice special in the logs, because snort was stopped. something made it crash or (i hope not), someone?
i know i am a paranoid with security computers, but all this stuff seems strange. and "even paranoiacs have ennemies"

think of it this way... if some1 remotly accessed your internet connection.... then they will have lost there own connection to it by shutting down the network interface and lost the ability to re-start it...

unless they put maybe a cron job or sleep script to startup the interface again for them, thus changing the ip, and still.. they lost there connection to you for not knowing the new IP.

maybe you ISP chnaged you IP... maybe interfaces dont need to be re-set, maybe they do it automatically...

and SOME distro's re-start interfaces that die.... i setup my redhat9 box to do this on my un-stable dial-up.

if i were you, i would hpone the ISP and ask them if they chnaged your IP.. and explain you are concerned about security.... security of the customers is often very important to isp (or important that they give that impression) they should try to be helpfull !

yes. i contacted my ISP and asked the question about this ip adress stuff. But...still no response. And, moreover, i have a problem with my ISP ( TISCALI ) : they don't want to hear about linux. They explicitly wrote in the general conditions that linux is not supported. I want to change of ISP but i'm still engaged for one year...well, to resume, don't use Tiscali as ISP.
ok for the ip adress change, it is probably not an intrusion ( unless the cracker wrote a script to restart the interface and send to himself the new ip adress... it is possible i think, but a little bit weird, i admit ).
but i need to test and check the security of my box, i'm still paranoiac
Thank you very much
--
PS : i apologize for my "frenglish"

unluckly, a quite usual way of avoiding THEIR problems also i think that :is sort of illegal because Linux is 100% posix.

you dont have to mention Linux....
PHONE them.... (they will never reply to email)
and say that WindowsXP is reporting that your IP has changed... ask them if their customers IP addresses are meant to be Static or Dynamic.. and ask if an ip can be changed on your machine without a shutdown, while unatended.

ok i am going to wait a little bit for a mail answer, and if they don't answer i'll phone them.
thanks for the posts