Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Been hacked! (NOT confirmed) SOLVED
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Btoo
n00b
n00b


Joined: 24 Sep 2008
Posts: 33
Location: An isolated island

PostPosted: Wed Sep 14, 2011 2:53 pm    Post subject: Been hacked! (NOT confirmed) SOLVED Reply with quote

:oops:
When I got up this morning I checked my system which is a Gentoo x86 hardened router running Arno's Iptables script with an IpSec Vpn and ssh being the only ports open. What I found was these files changed:

Modified:
"/lib/rc/cache/softlevel"
"/lib/rc/console"
"/lib/rc/console/default8x16.psfu.gz"
"/lib/rc/console/font"
"/lib/rc/console/keymap"

I also have a dead.letter file change and need to read that, will post back.

The softlevel file was changed to "shutdown". My question would be could I have triggered something like this, which I doubt or what? Could it be that a reboot caused the file changes? I have emerged a couple of programs without a reboot...Also, I was having issues with the system yesterday which seemed to be DNS related, slow or lost connections, intermittently happening (why I rebooted the system).
The firewall was set up to stop brute force attacks, but I did have a non-privileged user with ssh password access on a non-standard port.

Any help or insight would be appreciated!!


Last edited by Btoo on Wed Sep 14, 2011 8:41 pm; edited 1 time in total
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Wed Sep 14, 2011 3:17 pm    Post subject: Reply with quote

Check your logs for signs of entry from ssh for a start.

Code:
cat /var/log/messages | grep "Accepted"
Back to top
View user's profile Send private message
mikegpitt
Advocate
Advocate


Joined: 22 May 2004
Posts: 3224

PostPosted: Wed Sep 14, 2011 3:20 pm    Post subject: Reply with quote

I believe all the files you mentioned are re-created upon a fresh boot, so IMHO changes to those files alone wouldn't signify a compromised system.

If you believe your system is compromised, I would re-emerge rkhunter, and run it to check for any rootkits. I would also look through your last logs and /var/log/messages to see if there is anything abnormal in there. If an attacker compromised your system, the logs could have been tampered with... but a lot of attacks are automated and unsophisticated, meaning they have no care to cover their tracks.

Another thing you could do if you are still unconvinced is to re-emerge tcpdump, and run it for a while to see if there are is any unusual network activity (preferably during a time when you aren't really using the network, so you can sort through the logs easier).
Back to top
View user's profile Send private message
Btoo
n00b
n00b


Joined: 24 Sep 2008
Posts: 33
Location: An isolated island

PostPosted: Wed Sep 14, 2011 8:40 pm    Post subject: Reply with quote

Thanks for the replies,
I checked the logs and they were clean, never even pinged from the same address twice. I checked the filesystem with rkhunter and the system was good. The dead.letter was simply updated with new log data that I have written to it from Psad. I need to read up on rc as I have never paid much attention to it, therefore my miss-understanding of what is going on there.

Thanks again!
Back to top
View user's profile Send private message
jowr
n00b
n00b


Joined: 27 Dec 2008
Posts: 52

PostPosted: Thu Sep 15, 2011 6:52 am    Post subject: Reply with quote

If nothing else, configure your cron daemon correctly so it doesn't crap cron output into dead.letter.

That you don't know what dead.letter is, but were worried about being hacked without even examining file contents, concerns me slightly.
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Thu Sep 15, 2011 8:07 am    Post subject: Reply with quote

If you put the following at the top of your crontab it should prevent it outputting to mail.

Code:
MAILTO=""
Back to top
View user's profile Send private message
Btoo
n00b
n00b


Joined: 24 Sep 2008
Posts: 33
Location: An isolated island

PostPosted: Thu Sep 15, 2011 1:57 pm    Post subject: Reply with quote

Thanks for the input, but I do know what dead.letter is. Cron is not involved, the dead.letter change was added by net-firewall/psad. Possibly the DNS/connectivity issues I was having caused a low level alert to be posted in dead.letter. I will have to look at that again to see.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum