LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   help determine if I was hacked (https://www.linuxquestions.org/questions/linux-server-73/help-determine-if-i-was-hacked-664905/)

nephish 08-23-2008 05:09 PM

help determine if I was hacked
 
Hey there all,
i run a data processing station that gets info automatically via email. So i have a user set up and in my software, i have the user log in (dovecot) and check the email and process anything there. There are actually two users on the system that do this.
Today, both lost permission to check their Maildir.
I can't find anything in the auth log that looks suspicious, or the .bash_history of either user. Not even the main user of the system.
The way it got fixed was with a sudo chown mailuser /home/mailuser -R

I don't get what could have don't this. I have not been running any maintenance or anything else, it has just been happy running along.

Is this a cracker that did something?
Has anyone seen this before?

thanks for any tips, i wonder if it's ok to breathe now, or if it will happen again.

thanks

amani 08-23-2008 05:16 PM

Run rkhunter

chkrootkit

You will need to check system logs, web logs.

There are tools like snort for the purpose. Why did you not install it?

see a full manual/book

nephish 08-23-2008 05:47 PM

well, i have never heard much about them. I havn't really looked though. I don't run anything as root, i pay attention to what recommended permissions to set, what services are ok, and not ok... just never had any trouble in the past three years. I am kinda new at this, still, i guess this serves as an ample wake up call.
thanks

unSpawn 08-23-2008 06:28 PM

Soze for recycling posts but have a look at my first post here please: http://www.linuxquestions.org/questi...server-664871/

unSpawn 08-23-2008 06:32 PM

Quote:

Originally Posted by amani (Post 3257403)
see a full manual/book

While people should have a basic understanding of what their system comprises of I don't mark (perceived) incidents, possible breaches of security, as something warranting a generic RTF(ine)M type of answer. Next time you or anyone encounters such a thread, if you can't manage to put in a more detailed response, I'd appreciate it if you point to 0) the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/ and 1) the Linux Security forum. TIA

nephish 08-23-2008 06:49 PM

Great response, and great link, unSpawn.
thanks for that.

unSpawn 08-23-2008 07:00 PM

No need to thank me: we're here to help. BTW I saw a move request for this thread to the Linux Security forum so hopefully it'll materialise there RSN.

jschiwal 08-23-2008 09:01 PM

Sometimes things just happen by accident. I don't know which distro you have this running on. Usually the package system has a command that will validate a package. This might help you determine whether files or directories have the wrong permissions.

For an rpm based system you could use: rpm -qf <path/to/file>
to determine which package supplies a file or directory and then
rpm -qV <packagename>
to validate it.

I think that debian based systems have a similar command.

amani 08-23-2008 09:57 PM

Quote:

Originally Posted by unSpawn (Post 3257450)
...I'd appreciate it if you point to 0) the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/ and 1) the Linux Security forum. TIA

Yes, that will help. The LQ wiki can be updated with more links too.
http://wiki.linuxquestions.org/wiki/...ecurity_Basics

nephish 08-23-2008 10:05 PM

little update here guys,
I am running a debian system, well, ubuntu Gutsy. The system has been in place for quite a while, months. This is the first time this has happened.
After i rewrote the permissions on the logs, i have not had a problem and it has been now a few hours.

So, maybe someone or some script-kiddie got in, but they didn't do much if they did, and left no tracks that i can find in any logs.

thanks for the advice to all, thank God it was ok this time..

i just put in an order at Amazon.com, i would feel even more like an idiot next time.

sk

unSpawn 08-24-2008 08:01 AM

Quote:

Originally Posted by jschiwal (Post 3257524)
Sometimes things just happen by accident.

In terms of perception and how to act on things I agree with that. Kinda Hanlon's razor thing, right?


Quote:

Originally Posted by amani (Post 3257553)
The LQ wiki can be updated with more links too.

Good you mentioned that. If you would be willing to help out with that Wiki page that would be most welcome...


Quote:

Originally Posted by nephish (Post 3257557)
So, maybe someone or some script-kiddie got in, but they didn't do much if they did, and left no tracks that i can find in any logs.

Personally I don't like "maybe" and then leave things dangling. There either was or there was no breach. You trust the machine's integrity completely or you don't. So, if you would like us to provide a second opinion then posting a more detailed account of what you checked would be a nice start...

nephish 08-24-2008 11:00 AM

hey,
read up on and installed rkhunter. After it's update and run, everything looked good. I don't sleep well with something like this dangling either.

Thanks to all.


All times are GMT -5. The time now is 12:24 AM.