compromised

[i-only-know-dos]

When a file shows an 'accessed' time at some-time when I'm not around - that means something is not ok, right? (suse 9.2 konquerer)

5 files all show access time of 7:02pm. None of which I have touched since noon that day. Room is locked, and screensaver locked session.

Suse 9.2. updated as far as that SuSE YAST Online tells me that it is.
Installed nothing apart from what came on the distro dvd. ( its got everything I needed )

Runlevel has:
xdm, syslog, SuSEfirewall, splash early, splash, smpppd, running-kernel, resmgr, random, portmap, nscd, nfs ( but not configured & not used ), network, kbd, hwscan, fbset, cups, cron.

I followed the simple rules, install nothing, disable listening services, run the online update frequently.

Well, I wasnt watching the Compromised News Network and patching religiously as per suse alerts. But I assumed the SuSE Online Update thing was a within-next-couple-of-days-butler-service

This box survived less than 1 month? Isnt that below average? (but I'm new to this badge vs hack game )

Yes, I already know I need to win the lottery and hire a security team to monitor my home boxes

Any suggestions as to where the entry point is? From what little I know about linux, the only listening service up there in that list is the dns cache - nscd.

Any suggestions for a locked down distro - free ones - that is?

[jasonlambert]

a changed file accessed time is NOT any indication whatsoever that you have been hacked. What file was it? were there any cron jobs running that read the file? any running programs that may have accessed it? ...

[i-only-know-dos]

Hi ,

The file was is a pdf document downloaded around noon time - which I did not read or touch.

No scheduled jobs were ever done - clean machine.

Among the other files accessed was a bookmark file in which I wrote down which chapter I was reading in several books. The info is dated and I did not ever open it after initial create.

What could modify a file's accessed time ? Other than a read ?

[lordnothing]

touch(1) can change a file's mtime... some bg proc accessing it can change the mtime, etc.

[i-only-know-dos]

I don't understand what 'some big proc" means ? What process are you thinking of? Or did you mean buggy process ?

Reason my spidy senses tingled is because my win2k box rebooted itself and after that, my account is denied logon. So .... I check my other boxes for signs.

[i-only-know-dos]

but since this is not a windows forum. I didnt want to mention that here.

[i-only-know-dos]

Hi lordnothing,

Ok. Now I know what bg is. Which goes to show that I dont even know how to suspend a job before, ruling out the bg as a cause. I don't didnt use touch either. So that eliminates two probable causes. No cron jobs here either.

Anyone care to give me more causes as to why the access time stamps are modified ?

If the access time stamp does not indicate a READ, then what does it indicate? This is that capital C that I need to maintain, right? I need to understand this for this box. Please point me to some documentation/book/manual.