LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Someone logged into my machine? (https://www.linuxquestions.org/questions/linux-security-4/someone-logged-into-my-machine-60989/)

nuzzy 05-21-2003 10:16 AM
Someone logged into my machine?
 
I'm wondering if someone is remotely logged into my RH9 box. The reason I think this is that I'm seeing numerous e-mails being sent out. I have sendmail hardened to not allow relyaing and have confirmed this thru ordb.org, but yet I still see the mass mailings being sent out. Is there a way for me to check if someone else is using my machine or find out who it is??

tcaptain 05-21-2003 10:24 AM
I'm not sure which logs specifically (I'm not at my machine) but I'd look quickly in the /var/log directory...maybe in 'messages' or something...although there may be one called 'security' or 'secure'

You can also use the 'last' command.

If you think your box is sending out mass mailings, shut it down quick...or at least suspend sendmail til you are sure...I mean, its not nice to spam...especially if you are aware you are spamming.

unSpawn 05-21-2003 10:52 AM
Definately shut down sendmail, add an inbound LOG target rule to your firewall for TCP/25 and outbound for any/any. If your box has been used a lot you're bound to see some requests...

Determine how they where able to use your box. The "last" command will give you an account of who's been logged in, for example "last -ai10" will give you the ten most recent ones. If enabled, "lastb" should give you the last login failures. "w" or "who" show you who's on the box now.
Check the integrity of your binaries, libraries and configuration files using Aide, Samhain or tripwire (if installed), else you'll have to resort to verifying against your rpm database but that won't catch everything. Run chkrootkit, just to be sure. If anything fishy comes up, catch the output of 'ps axwww', 'netstat -anp' and 'lsof' to file and shut down your network connection. If all seems OK, start looking in /var/log/messages for "weird" entries anything with error, fail, fatal or pam in it, and /var/log/maillog(.*gz) for clues. If you find remote addresses, expect them to be temp accounts and/or connected tru proxies.

If you report back, please elaborate on what you've done to check and what you've found.

nuzzy 05-24-2003 12:40 PM
Hi guys,

Thanks for your replies. I was one step ahead of your advice and shut down my SMTP when I saw mail being relayed from the unknown source. I did some investigating in my maillog and found out that the domain of attbi.com was being used to relay the mail. I'm an idiot because I had allowed that domain to relay because I use attbi.com. I wanted to run some tests using my home machine. I forgot to remove it from the relay when I was done, but I did and VIOLA! No problems for three days now.

tcaptain 05-24-2003 02:15 PM
you mean attbi.com was using YOUR open relay?

nuzzy 05-24-2003 03:17 PM
AT&T themselves? No...it was someone@xxx.attbi.com using my SMTP to relay...

2damncommon 05-24-2003 05:11 PM
It's amazing.
I have been fooling around with some test runs of a home server.
People are always scanning, checking smtp, ftp, ssh, http, trying to exploit know hacks.
I am trying to learn to distinguish possible hits due to dynamic IP versus definate hack attempt.


All times are GMT -5. The time now is 11:38 PM.