Ahh! Ive been hacked somehow .. And I want to catch them if they try it again.

Is there a program that will monitor ports on an ethernet card and log access attempts to the ports. I know there is such a beast - just dont know the name of it..

portsentry It was written and released by psionic and used to be maintained and updated on their site, although psionic has since been bought by CISCO and they no longer provide it. A google search should be productive though if noone posts a direct link somewhere.

BTW, how do you know you've been hacked and what have you done to clean up the mess?

Ahh! Ive been hacked somehow .. And I want to catch them if they try it again.
You should not consider that a game to play unless you know you won't be a threat to other boxen on the LAN/internet (and since you got your box compromised, and this maybe sounds harsh, I'd say: it's a game WAY out of your league). Instead perform the three R's: repartition, reformat and re-install from scratch to get your box back to a trusted state. If you don't know how, see the Linux - Security forum's thread "FAQ: Security references": for more info or post in the Linux - Security forum.


IMNSHO you shouldn't use Portsentry or rely on it too much: all it does is react to packets tripping a port.

Need a stupid example? Say you configured Portsentry for tripping on port UDP/31337. Hell yeah, it'd trip each time someone tries the port, but what does this tell you? Zilch. Zilch. Zilch. (Besides that it would be a sad thing to do as BO server doesn't run on Linux.)
Now if you had something that scrubs packets, like Snort does, then you'd have a rule something like this: "alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";)", which would only react to packets having a specific payload that correllates it with BO usage. See the difference?

From the Linux - Security forum's thread "FAQ: Security references": for more info see "Snort and PortSentry compared": http://www.linux.ie/articles/portsen...rtcompared.php

I actually think I stumbled on the person doing their dirty work - noticed my root .bash_history was more recent than when I had last logged in - and lo and behold somehow they had managed to download some type of binaries and install (emerge?) -- it would not have been so obvious except the hacker used login of "lucyfer" and other satanic wording for the names of the programs...

As unSpawn pointed out - I did not know what was done or how it was going to do what - so I just disconnected the box from the network, reformatted and re-install rh9 from scratch...

It was my fault - I had the DMZ on my NAT set to the box and forgot to disable it - so I know I was open to port attacks - how on earth someone was able to find out my root login just from open ports, i dont know...

it would not have been so obvious except the hacker used login of "lucyfer" and other satanic wording for the names of the programs

Any apps added you can remember the names for?
Or did you save /etc and your /var/log?