has my Ubuntu machine been cracked?

machine on home lan
192.168.0.102
it is the DMZ from router
ufw on (ports open for aMule)
sshd installed

no:
p2p file sharing
local sharing
IM
servers (only sshd)

afs-fileserver port 7000 detected by etherape
rkhunter 16 files show WARNING
UPD unknown traffic many connections, detected by etherape
no UDP shows in #sudo netstat
I only install software from U repos, authenticated

Chances are that you have not. Part of the problem with tools like rkhunter and etherape is that they give a lot of false warnings, as does any IDS software. You need to review the man pages and understand what the tools are doing and then evaluate the warnings you receive on a case-by-case basis. You mention SSHD, do you use password authentication? Do you allow root passwords? Do you have it restricted at all via IPtables. Do you run any other server processes? Do you examine your logs routinely? Do you use a program like fail2ban to help counteract brute force password attempts?

If you think you may have been compromised, then you will want to perform an investigation. Start by removing the network cable or putting a firewall up in front of the machine. Then review the CERT intruder detection check list for things to look for. Here is a link.

Next examine the output netstat -pane, lsof -pwn, ps -afwwwe. Look for any files with the setuid and guid bits set. If you need help analyzing these files, please post the output as an attachment or let one of use know and we will help arrange for a location to post them.

Personally I'd take this more gradually before going all out, especially since I agree with Noway2 that it's probably nothing. If the UDP traffic is what is concerning you then try running tcpdump or wireshark for more details and go from there.

1 members found this post helpful.