hi,
my system have been hacked , i already try few command like :
last -> didn't find any ip address others than me

/var/log/messages -> didn't find any ip address that successfull log in others than me

i've tried rkhunter, but didn't found any rootkit in my system

i've tried history -> didn't find any suspicious command

i've tried to cat /etc/passwd -> didn't find any suspicious user


my only trace that my system hv been hacked is in binary sql log, that generated from mysqlbinlog :
# at 22572431
65 #070411 12:02:22 server id 1 log_pos 22572431 Query thread_id=3239 exec_time=0 error_code=0
66 SET TIMESTAMP=1176292942;
insert into user (userid,username,userpassword,usertype) values ('admin','admin','admin','pusat1');
68 # at 22572574
69 #070411 12:02:22 server id 1 log_pos 22572574 Query thread_id=3239 exec_time=0 error_code=0
70 SET TIMESTAMP=1176292942;
71 delete from embassy;


he inserted admin user, and deleted my table
currently i'm using slackware 10.1 and mysql 4.1

please advise ?

thanks

you have two routes to take.
1: you have been hacked and ANYTHING that was accessable from that machine is now to be considered compromised.
Disconnect from the network and only use live CDs to access the machine as the kernel may have been replaced so that ANY command would see eveything as normal, hiding any activity extra users etc.
Your only option in this case is to format and restore from know good back up.
2: your mySQL service has been hacked and the cracker has only managed to attack your database and has not been able to escape into the machine at large.
Why are you running a mySQL server available to the internet?
can you lock it down?
is there a web interface that gave the attacker access to the mySQL server via the internet ?
if so can it be upgraded?
If you are a home user and you do not make regular backups then number two might be the only way to go.
There is also a number 3, install tripwire intrusion detection and see if the cracker comes back.

well, i can't disconnect it to network because it's serves 24 hours to my client. and beside that it would be useless if i installing from beginning without knowing what the root cause my system hv been compromised? i'm affraid it's happening again...

no my mysql it's running on skip_networking mode, so the only possibility he was accessing locally thru shell, i didn't hv phpmyadmin or something like that installed.

but if he accessing thru shell, why i can't see he's logged to my system on that time, thru the log that i checked before.

what my question are :
1. how can he got into my mysql shell ? thru shell or is there something i didn't know ?
2. is there log that i missed, so i can check what's ip or how my system can be compromised ?
3. is there any handy tool, that can help me protect / logging my security ?

thanks for the reply.

1. I do not know enough about mySQL to answer this my experience is compromised windows machines.
2. If the attacker gained root access then any log file could have been sanitized of their presents, there is a real danger that core components of your OS have been replaced i.e. the kernel, this means any attempt to detect the attackers presents could be masked, he/she could by attached right now and who/top rootkit hunter etc would never know.
3. Tripwire will allow you to monitor what is going on but unless you start from scratch number two my thwort your attempts.

If you have the time, create a backup of the hard drive with and then load it into a virtual machine and play about a bit more.

I'd vote for taking stock of everything that even remotely looks like system, login and daemon logs (also don't forget logs from adjacent fw/router if any) before going nuclear. Since you set skip_networking mode this means whatever is serving up data is on the same box and I'm sure its logs should show anomalies. Best would be to copy the logs off the box and work on a separate, secured, "known good" workstation. See if you get for instance remote probing, vulnerability "testing" or logins. If you rotate logs try to go back as far as you can, it's not said the table drop came right after the initial probing and compromise. Before you do better first read Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html if you need some guidelines on what logs and such to look at and maybe check this forum for past incidents and how we handled them to get the feel.

Post as much info as you can (if its too much data just post a temporary URI to a tarball of logs we can grab). One thing you should execute alongside your logsearch is verifying everything on the box. If you deployed something like Aide or Samhain this is the time to use it, else if you only got a package manager that can do package content verification then use that.