I just re-booted my machine after leaving it online for about 24 hrs to find that there is a new user listed on the Mandy log in screen... "geogeek".

Has someone hacked me and set up their own user?

I'm not convinced that my root user has a password, you know. I used to type in a password to get to root, but it hasn't asked me for one since I upgraded Mandy 9.0 to 9.1. Just lets me into root no questions asked.

Advice?

open a term and type su
passwd or not
and when logged in as root type passwd
and type new pass
edit /etc/passwd and delete the line that has geogeek in it and
you should consider to get a firewall

Thanks
I su'd to root, (no password required)
typed passwd, set a new passwd

That feels safer. Though when I look at /etc/passwd it is about 28 lines long with a line about geogeek at the end. The other lines mention things like postgres, named, postfix etc. I've deleted geogeeks line.

What's a good free firewall for mandrake 9.1 then? I use pccillin for my windows machine.

firestarter shorewall there are lots of great ones out there
the classic though is iptables just do a little google search

cheers

erling

Very strange. No firewall yet but I have passworded root. - I then stepped away from the machine for about 2 hours and when I return an app calle KWrited is open with a document in it called
"Listening on Device /dev/pts/0"
and a few pages of

Message from syslogd@localhost at Fri Aug 8 07:53:59 2003 ...
localhost

Message from syslogd@localhost at Fri Aug 8 07:55:00 2003 ...
localhost

Message from syslogd@localhost at Fri Aug 8 07:56:01 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 07:58:00 2003 ...
localhost last message repeated 3 times

Message from syslogd@localhost at Fri Aug 8 07:59:49 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 08:01:00 2003 ...
localhost last message repeated 3 times

Message from syslogd@localhost at Fri Aug 8 08:02:01 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 08:04:00 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 08:06:00 2003 ...
localhost last message repeated 3 times

Message from syslogd@localhost at Fri Aug 8 08:07:59 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 08:09:00 2003 ...
localhost last message repeated 4 times

Message from syslogd@localhost at Fri Aug 8 08:10:59 2003 ...
localhost last message repeated 3 times

Message from syslogd@localhost at Fri Aug 8 08:12:00 2003 ...
localhost

Message from syslogd@localhost at Fri Aug 8 08:13:04 2003 ...
localhost last message repeated 4 times

Message from syslogd@localhost at Fri Aug 8 08:14:59 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 08:16:00 2003 ...
localhost last message repeated 3 times

Message from syslogd@localhost at Fri Aug 8 08:18:01 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 08:20:01 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 08:22:01 2003 ...
localhost last message repeated 3 times

Message from syslogd@localhost at Fri Aug 8 08:24:01 2003 ...
localhost last message repeated 2 times

Message from syslogd@localhost at Fri Aug 8 08:26:00 2003 ...
localhost last message repeated 3 times

Message from syslogd@localhost at Fri Aug 8 08:28:01 2003 ...
localhost last message repeated 2 times

...etc.

I wonder what they're up to?

Isnt there a firewall on Mandrake 9.1 which you can setup?

The intruder has probably included more that just the geogeek password. You should go on an extermination campaign against geogeek. First try: find / -iname "*geogeek*" and see what turns up.
Similarly, you should learn as much about Kwrited as you can.

After you learn as much as you can about what has been inserted into your system then delete everything suspicious starting with the command:
userdel -r geogeek
If Kwrited is something that you do not use then exterminate it. If you do use it then reinstall it.

Also it is quite possible that someone has sent all of your passwords to a remote location. You should change all of your user names and all passwords and make all of the changes in as short a time interval as possible. If practical you should do the extermination and name changes while not connected to any network.

The only piece of real advice is to reformat and reinstall.

Back up any HUMAN READABLE files you want to. No binaries. then reformat and reinstall. Make sure this time you put in the proper security measures and react on changes. If you think you're not up to securing/hardening your box, post in the Linux - Security forum after you reinstalled.

Check your logs for info on "geogeeks" IP, you can always report em as well. Backup the /var if you have questions about that later, it'll likely be where your logs were located. This shouldn't be backed up to be re-inserted, but only for forensics at a later date.

Cool

It seems rather pointless doing anything until you have set up your firewall/iptables... otherwise your intruder will just come back in. You need to do this in the right order. The first sensible thing would be to unplug your network cable.


christo

personally I'd back up what you need wipe that sucker clean. I'd write all zero's to your HD then reinstall (offline) and after you have it all setup with a firewall inplace then put it back online.

Just thought I'd quote this again so it appeared again This is the best approach.

I agree. I would strongly advise you to do a backup of non-binary files [only if you need then], and /var for later examination, and then reinstall. get all security updates. Don't use the old username password that you used to. then connect to the internet ;-0. absolutely the best advice fron unspawn

Okay I'll take your advice and format the machine. Tsh, just as it was running nicely too!

First I need to get samba going so I can pull my files off (No CD-R, you see...)

Thanks all for the advice.

How's this for a plan of action then:
=========================
1-Log in as root. Type:
dd if=/dev/zero of=/dev/hda
(If I understand correctly, this will format my HD and write zeros across it.)

2-Boot machine with the Mandy9.1 CD inserted - install Mandy, choose "paranoid" when asked about security. (Will this stop p2p apps like gtk-gnutella, and other apps like aMSN working? Should I choose a lower security level?)

3-Choose a new root username/password.

4-Once Mandy is up and running, immediately run MandrakeUpdate and get all the patches.

5-Relax