Compromised or not...

[scrumpy]

Hi,

I'm not completely new to Linux but it's sure not my comfort zone.

I've set-up Mandrake 9.2 on a laptop PC to use primarily as a PHP/MYSQL/Apache server hosting a basic website. The install was basic and I only set-up what I think is necessary to run what I need. Port 80 is forwarded to the machine only.

I see the usual attempts in the apache access and error logs trying to use the server as a proxy but I have a feeling that the machine has been compromised in some way. (the machine is off at the moment until I'm happy that all is well.)

The reason for feeling this way is that after I have looged in as root, and then logged (graphical option) out I notice that the option to shutdown the system is not there? it used to be, and was when I did the initial install.

Do you think something is up? and where should I start to investigate this?

Cheers.

[Slip]

Check out your logs, for example auth.log.

Code:

Apr  5 22:47:17 insomnia su(pam_unix)[5390]: session opened for user root by slip(uid=1000)
Apr  5 22:48:52 insomnia su(pam_unix)[5390]: session closed for user root
Apr  5 23:14:51 insomnia su(pam_unix)[5567]: session opened for user root by slip(uid=1000)
Apr  5 23:15:47 insomnia su(pam_unix)[5567]: session closed for user root
Apr  6 08:22:06 insomnia su(pam_unix)[6948]: session opened for user root by slip(uid=1000)
Apr  6 08:31:00 insomnia su(pam_unix)[7649]: session opened for user root by slip(uid=1000)

And as you can see it will spit out a long list of stuff, including remote ssh sessions, etc.

Also you can simply try changing the root password and whatever user accounts.

[BassekeNL]

1. check your logs. Logs may be altered by an intruder, so this is indicative at best.
2. check for rootkits: run chkrootkit (chkrootkit.org), preferably with the harddrive put into an uncompromised system. See the documentation.
3. check network traffic. Use ethereal or another sniffer to look for any unexplained network traffic.
4. run nmap from another computer, to check if any unusual ports are open

If all the above seems okay, it may still be that an intruder has had access to your computer through an exploit, but isn't using your machine actively. He may have left unknown trojans or rootkits.

To minimize these risks, make sure all available patches have been applied and no unneccessary services are running. Reinstall suspect programs, esp. daemons and cgi scripts. Doublecheck configs. Run a mailserver through ordb to make sure it is not an open relay.

[ElectronicTempest]

Just a note:: You don't need to run nmap from another computer

Code:

nmap localhost

Will still go through the TCP/IP stack, but it doesn't go out through your router. So you can implement all the options nmap has without being remote!

Also. If you think you have been compromised check and see if you can find any unusual usernames. A lot of times they are relying on the fact you may not check that, and they add a user for themselves.

Change your passwords. Change them to another thing you can remember. One major flaw computer users have is that they NEVER change their passwords. If you are compromised once, you will be compromised 100 times.

Last be ABSOLUTELY not least is to make your computer a bit more secure. Many tutorials and books are out there.

there are a few items there you will be interested in. Also take a look at the tutorials, see what the "other side" is using against you. So you can be more aware of what to look out for! Enjoy!

-m-