Results 1 to 4 of 4
Thread: Compromised or not...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Apr 2004
Compromised or not...
I'm not completely new to Linux but it's sure not my comfort zone.
I've set-up Mandrake 9.2 on a laptop PC to use primarily as a PHP/MYSQL/Apache server hosting a basic website. The install was basic and I only set-up what I think is necessary to run what I need. Port 80 is forwarded to the machine only.
I see the usual attempts in the apache access and error logs trying to use the server as a proxy but I have a feeling that the machine has been compromised in some way. (the machine is off at the moment until I'm happy that all is well.)
The reason for feeling this way is that after I have looged in as root, and then logged (graphical option) out I notice that the option to shutdown the system is not there? it used to be, and was when I did the initial install.
Do you think something is up? and where should I start to investigate this?
- Join Date
- Nov 2003
- Brooklyn, NY
Check out your logs, for example auth.log.
Apr 5 22:47:17 insomnia su(pam_unix): session opened for user root by slip(uid=1000) Apr 5 22:48:52 insomnia su(pam_unix): session closed for user root Apr 5 23:14:51 insomnia su(pam_unix): session opened for user root by slip(uid=1000) Apr 5 23:15:47 insomnia su(pam_unix): session closed for user root Apr 6 08:22:06 insomnia su(pam_unix): session opened for user root by slip(uid=1000) Apr 6 08:31:00 insomnia su(pam_unix): session opened for user root by slip(uid=1000)
Also you can simply try changing the root password and whatever user accounts.
- Join Date
- May 2004
- Dordrecht, the Netherlands
first little checklist
1. check your logs. Logs may be altered by an intruder, so this is indicative at best.
2. check for rootkits: run chkrootkit (chkrootkit.org), preferably with the harddrive put into an uncompromised system. See the documentation.
3. check network traffic. Use ethereal or another sniffer to look for any unexplained network traffic.
4. run nmap from another computer, to check if any unusual ports are open
If all the above seems okay, it may still be that an intruder has had access to your computer through an exploit, but isn't using your machine actively. He may have left unknown trojans or rootkits.
To minimize these risks, make sure all available patches have been applied and no unneccessary services are running. Reinstall suspect programs, esp. daemons and cgi scripts. Doublecheck configs. Run a mailserver through ordb to make sure it is not an open relay.
- Join Date
- Aug 2004
Just a note:: You don't need to run nmap from another computer
Also. If you think you have been compromised check and see if you can find any unusual usernames. A lot of times they are relying on the fact you may not check that, and they add a user for themselves.
Change your passwords. Change them to another thing you can remember. One major flaw computer users have is that they NEVER change their passwords. If you are compromised once, you will be compromised 100 times.
Last be ABSOLUTELY not least is to make your computer a bit more secure. Many tutorials and books are out there.
there are a few items there you will be interested in. Also take a look at the tutorials, see what the "other side" is using against you. So you can be more aware of what to look out for! Enjoy!