help determine if I was hacked
Hey there all,
i run a data processing station that gets info automatically via email. So i have a user set up and in my software, i have the user log in (dovecot) and check the email and process anything there. There are actually two users on the system that do this. Today, both lost permission to check their Maildir. I can't find anything in the auth log that looks suspicious, or the .bash_history of either user. Not even the main user of the system. The way it got fixed was with a sudo chown mailuser /home/mailuser -R I don't get what could have don't this. I have not been running any maintenance or anything else, it has just been happy running along. Is this a cracker that did something? Has anyone seen this before? thanks for any tips, i wonder if it's ok to breathe now, or if it will happen again. thanks |
Run rkhunter
chkrootkit You will need to check system logs, web logs. There are tools like snort for the purpose. Why did you not install it? see a full manual/book |
well, i have never heard much about them. I havn't really looked though. I don't run anything as root, i pay attention to what recommended permissions to set, what services are ok, and not ok... just never had any trouble in the past three years. I am kinda new at this, still, i guess this serves as an ample wake up call.
thanks |
Soze for recycling posts but have a look at my first post here please: http://www.linuxquestions.org/questi...server-664871/
|
Quote:
|
Great response, and great link, unSpawn.
thanks for that. |
No need to thank me: we're here to help. BTW I saw a move request for this thread to the Linux Security forum so hopefully it'll materialise there RSN.
|
Sometimes things just happen by accident. I don't know which distro you have this running on. Usually the package system has a command that will validate a package. This might help you determine whether files or directories have the wrong permissions.
For an rpm based system you could use: rpm -qf <path/to/file> to determine which package supplies a file or directory and then rpm -qV <packagename> to validate it. I think that debian based systems have a similar command. |
Quote:
http://wiki.linuxquestions.org/wiki/...ecurity_Basics |
little update here guys,
I am running a debian system, well, ubuntu Gutsy. The system has been in place for quite a while, months. This is the first time this has happened. After i rewrote the permissions on the logs, i have not had a problem and it has been now a few hours. So, maybe someone or some script-kiddie got in, but they didn't do much if they did, and left no tracks that i can find in any logs. thanks for the advice to all, thank God it was ok this time.. i just put in an order at Amazon.com, i would feel even more like an idiot next time. sk |
Quote:
Quote:
Quote:
|
hey,
read up on and installed rkhunter. After it's update and run, everything looked good. I don't sleep well with something like this dangling either. Thanks to all. |
All times are GMT -5. The time now is 12:24 AM. |