I think somebody cracked my box

**Burble** · 06-23-2007

For some odd reason I get ssh entries in /tmp although I don't use ssh. I found a ssh folder in my /tmp that contains a socket called agent.2983. And once in a while i get unexplained disk activity although I'm not opening any page at the moment. Am I just paranoid or did someone really broke into my system?

**bigtomrodney** · 06-23-2007

Run the following in a terminal and post back

Code:

sudo grep -ir breakin /var/log/*
sudo grep -ir attempt /var/log/*

If you get any unexpected activity on your machine open a terminal and run who to see who is connected to your PC.

As a general precaution I would consider running a rootkit check suck as rkhunter. Also either disable your ssh service or shift it to a higher port number to prevent scans detecting you.

One last thing - if you are behind a router and have not specifically forwarded port 22 to your machine then there is a low chance that anyone outside of your LAN has connected.

**Burble** · 06-23-2007

Ok, here are the results:
kanta:~# sudo grep -ir breakin /var/log/*

/var/log/auth.log:Jun 23 13:04:47 kanta sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/grep -ir breakin /var/log/acpid /var/log/aptitude /var/log/auth.log /var/log/auth.log.0 /var/log/bittorrent /var/log/boot /var/log/btmp /var/log/cups /var/log/daemon.log /var/log/daemon.log.0 /var/log/debug /var/log/debug.0 /var/log/dirmngr.log /var/log/dmesg /var/log/dmesg.0 /var/log/dmesg.1.gz /var/log/dmesg.2.gz /var/log/dmesg.3.gz /var/log/dmesg.4.gz /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/fsck /var/log/gdm /var/log/installer /var/log/kern.log /var/log/kern.log.0 /var/log/lastlog /var/log/lpr.log /var/log/mail.err /var/log/mail.info /var/log/mail.log /var/log/mail.warn /var/log/messages /var/log/messages.0 /var/log/news /var/log/pycentral.log /var/log/scrollkeeper.log /var/log/syslog /var/log/syslog.0 /var/log/syslog.1.gz /var/log/user.log /var/log/user.log.0 /var/log/uucp.log /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old
/var/log/auth.log:Jun 23 13:07:25 kanta sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/grep -ir breakin /var/log/acpid /var/log/aptitude /var/log/auth.log /var/log/auth.log.0 /var/log/bittorrent /var/log/boot /var/log/btmp /var/log/cups /var/log/daemon.log /var/log/daemon.kanta:~# sudo grep -ir breakin /var/log/*
/var/log/auth.log:Jun 23 13:04:47 kanta sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/grep -ir breakin /var/log/acpid /var/log/aptitude /var/log/auth.log /var/log/auth.log.0 /var/log/bittorrent /var/log/boot /var/log/btmp /var/log/cups /var/log/daemon.log /var/log/daemon.log.0 /var/log/debug /var/log/debug.0 /var/log/dirmngr.log /var/log/dmesg /var/log/dmesg.0 /var/log/dmesg.1.gz /var/log/dmesg.2.gz /var/log/dmesg.3.gz /var/log/dmesg.4.gz /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/fsck /var/log/gdm /var/log/installer /var/log/kern.log /var/log/kern.log.0 /var/log/lastlog /var/log/lpr.log /var/log/mail.err /var/log/mail.info /var/log/mail.log /var/log/mail.warn /var/log/messages /var/log/messages.0 /var/log/news /var/log/pycentral.log /var/log/scrollkeeper.log /var/log/syslog /var/log/syslog.0 /var/log/syslog.1.gz /var/log/user.log /var/log/user.log.0 /var/log/uucp.log /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old
/var/log/auth.log:Jun 23 13:07:25 kanta sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/grep -ir breakin /var/log/acpid /var/log/aptitude /var/log/auth.log /var/log/auth.log.0 /var/log/bittorrent /var/log/boot /var/log/btmp /var/log/cups /var/log/daemon.log /var/log/daemon.log.0 /var/log/debug /var/log/debug.0 /var/log/dirmngr.log /var/log/dmesg /var/log/dmesg.0 /var/log/dmesg.1.gz /var/log/dmesg.2.gz /var/log/dmesg.3.gz /var/log/dmesg.4.gz /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/fsck /var/log/gdm /var/log/installer /var/log/kern.log /var/log/kern.log.0 /var/log/lastlog /var/log/lpr.log /var/log/mail.err /var/log/mail.info /var/log/mail.log /var/log/mail.warn /var/log/messages /var/log/messages.0 /var/log/news /var/log/pycentral.log /var/log/scrollkeeper.log /var/log/syslog /var/log/syslog.0 /var/log/syslog.1.gz /var/log/user.log /var/log/user.log.0 /var/log/uucp.log /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old
kanta:~#
log.0 /var/log/debug /var/log/debug.0 /var/log/dirmngr.log /var/log/dmesg /var/log/dmesg.0 /var/log/dmesg.1.gz /var/log/dmesg.2.gz /var/log/dmesg.3.gz /var/log/dmesg.4.gz /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/fsck /var/log/gdm /var/log/installer /var/log/kern.log /var/log/kern.log.0 /var/log/lastlog /var/log/lpr.log /var/log/mail.err /var/log/mail.info /var/log/mail.log /var/log/mail.warn /var/log/messages /var/log/messages.0 /var/log/news /var/log/pycentral.log /var/log/scrollkeeper.log /var/log/syslog /var/log/syslog.0 /var/log/syslog.1.gz /var/log/user.log /var/log/user.log.0 /var/log/uucp.log /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old
kanta:~#

and for var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt t

/var/log/auth.log:Jun 23 13:06:07 kanta sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/grep -ir attempt /var/log/acpid /var/log/aptitude /var/log/auth.log /var/log/auth.log.0 /var/log/bittorrent /var/log/boot /var/log/btmp /var/log/cups /var/log/daemon.log /var/log/daemon.log.0 /var/log/debug /var/log/debug.0 /var/log/dirmngr.log /var/log/dmesg /var/log/dmesg.0 /var/log/dmesg.1.gz /var/log/dmesg.2.gz /var/log/dmesg.3.gz /var/log/dmesg.4.gz /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/fsck /var/log/gdm /var/log/installer /var/log/kern.log /var/log/kern.log.0 /var/log/lastlog /var/log/lpr.log /var/log/mail.err /var/log/mail.info /var/log/mail.log /var/log/mail.warn /var/log/messages /var/log/messages.0 /var/log/news /var/log/pycentral.log /var/log/scrollkeeper.log /var/log/syslog /var/log/syslog.0 /var/log/syslog.1.gz /var/log/user.log /var/log/user.log.0 /var/log/uucp.log /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old
/var/log/auth.log:Jun 23 13:10:07 kanta sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/grep -ir attempt /var/log/acpid /var/log/aptitude /var/log/auth.log /var/log/auth.log.0 /var/log/bittorrent /var/log/boot /var/log/btmp /var/log/cups /var/log/daemon.log /var/log/daemon.log.0 /var/log/debug /var/log/debug.0 /var/log/dirmngr.log /var/log/dmesg /var/log/dmesg.0 /var/log/dmesg.1.gz /var/log/dmesg.2.gz /var/log/dmesg.3.gz /var/log/dmesg.4.gz /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/fsck /var/log/gdm /var/log/installer /var/log/kern.log /var/log/kern.log.0 /var/log/lastlog /var/log/lpr.log /var/log/mail.err /var/log/mail.info /var/log/mail.log /var/log/mail.warn /var/log/messages /var/log/messages.0 /var/log/news /var/log/pycentral.log /var/log/scrollkeeper.log /var/log/syslog /var/log/syslog.0 /var/log/syslog.1.gz /var/log/user.log /var/log/user.log.0 /var/log/uucp.log /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old
/var/log/auth.log:Jun 23 13:11:05 kanta sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/grep -ir attempt /var/log/acpid /var/log/aptitude /var/log/auth.log /var/log/auth.log.0 /var/log/bittorrent /var/log/boot /var/log/btmp /var/log/cups /var/log/daemon.log /var/log/daemon.log.0 /var/log/debug /var/log/debug.0 /var/log/dirmngr.log /var/log/dmesg /var/log/dmesg.0 /var/log/dmesg.1.gz /var/log/dmesg.2.gz /var/log/dmesg.3.gz /var/log/dmesg.4.gz /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/fsck /var/log/gdm /var/log/installer /var/log/kern.log /var/log/kern.log.0 /var/log/lastlog /var/log/lpr.log /var/log/mail.err /var/log/mail.info /var/log/mail.log /var/log/mail.warn /var/log/messages /var/log/messages.0 /var/log/news /var/log/pycentral.log /var/log/scrollkeeper.log /var/log/syslog /var/log/syslog.0 /var/log/syslog.1.gz /var/log/user.log /var/log/user.log.0 /var/log/uucp.log /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old
/var/log/daemon.log:Jun 23 13:00:09 kanta hald[2673]: forcibly attempting to lazy unmount /dev/sda1 as enclosing drive was disconnected
/var/log/dmesg:Attempting manual resume
/var/log/dmesg.0:Attempting manual resume
/var/log/installer/status: Don't attempt to install this package, it has no support for a couple of
/var/log/installer/status: Don't attempt to install this package, it has no support for a couple of
/var/log/installer/status: Don't attempt to install this package, it has no support for a couple of
/var/log/installer/cdebconf/templates.dat:Extended_description: An attempt to configure apt to install additional packages from the CD failed.
/var/log/installer/cdebconf/templates.dat:Extended_description: If true, attempt a fully automatic install
/var/log/installer/cdebconf/templates.dat:Extended_description: Networking can either be configured by DHCP or by manually entering all the information. If you choose to use DHCP and the installer is unable to get a working configuration from a DHCP server on your network, you will be given the opportunity to configure your network manually after the attempt to configure it by DHCP.
/var/log/installer/cdebconf/templates.dat:Extended_description: Attempting to find an available wireless network failed.\n\n${iface} is a wireless network interface. Please enter the name (the ESSID) of the wireless network you would like ${iface} to use. To skip wireless configuration and continue, leave this field blank.
/var/log/installer/cdebconf/templates.dat:Extended_description: Some variables need to be set in the Netwinder NeTTrom firmware in order for your system to boot linux automatically. At the end of this installation stage, the system will reboot, and the firmware will attempt to autoboot. You can abort this by pressing any key. You will then be dropped into the NeTTrom command system where you have to execute the following commands:\n\n setenv kernconfig fs\n setenv kerndev ${KERNDEV}\n setenv kernfile ${KERNFILE}\n setenv rootdev ${ROOTDEV}\n setenv cmdappend ${CMDAPPEND}\n save-all\n\nYou will only need to do this once. Afterwards, enter the "boot" command or reboot the system to proceed to your newly installed system.
/var/log/installer/cdebconf/templates.dat:Extended_description: The attempt to mount a file system with type ${TYPE} in ${DEVICE} at ${MOUNTPOINT} failed.\n\nYou may resume partitioning from the partitioning menu.
/var/log/installer/syslog:Jun 22 19:00:28 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:00:28 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:00:28 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:00:28 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:00:28 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:00:28 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:00:28 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:00:28 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:18:21 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:18:21 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:18:21 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:18:21 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:18:21 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:18:21 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:18:21 kernel: attempt to access beyond end of device
/var/log/installer/syslog:Jun 22 19:18:21 kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 09:36:24 kanta kernel: Attempting manual resume
/var/log/kern.log:Jun 23 10:50:53 kanta kernel: Attempting manual resume
/var/log/kern.log:Jun 23 11:17:15 kanta kernel: Attempting manual resume
/var/log/kern.log:Jun 23 12:27:19 kanta kernel: Attempting manual resume
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device
/var/log/kern.log:Jun 23 12:38:42 kanta kernel: attempt to access beyond end of device

etc.

How do i disable SSH? I've enabled ALL: PARANOID in /etc/hosts.deny, but it seems it doesn't to any good.

**bigtomrodney** · 06-23-2007

It all looks good there. You can remove it by just removing the daemon

Code:

sudo apt-get remove ssh

Or just to disable the service

Code:

update-rc.d -f ssh remove

Personally I would recommend just switching the port to a different number. Scripts will be less likely to find the port and anyone that cracked you before won't know the new port. Edit your /etc/ssh/sshd_config and change the port to say port 12345 (for example) and restart ssh. I guarantee you won't have any more people knocking on your door.

**anomie** · 06-23-2007

Originally Posted by Burble

For some odd reason I get ssh entries in /tmp although I don't use ssh.

If you do not ssh in to the box ever, then shut off sshd.

A quick google came up with this documentation from debian:
Securing Debian Manual - Before and during the installation

See section 3.6.1.

**Burble** · 06-23-2007

*Whew*. Thanks guys, I was worried for a moment. Thanks for the help and links to documentation.

Thread Tools

Display

I think somebody cracked my box

Posting Permissions