Yeah I agree and run the root kit detector from a bootable cdrom or usb key, using a known linux kernel that has not been corrupted.
There are rootkits that hide the existence of themselves by loading a special kernel module that prevents root from seeing certain files, processes, and other things necessary to detect their presence. --R On Sun, 2008-08-03 at 22:09 -0400, Vern Ceder wrote: > Don't forget to check for a rootkit, or to be even safer, just resintall > the OS from scratch and the data from a back up. > > There is a chkrootkit and a rkhunter, I believe, that will check for > rootkits. > > Vern > > Rob Ludwick wrote: > > Jon, > > > > 92.55.82.121 is listed in Dshield.org database, as an attacker 3 times. > > Possibly from Macedonia. > > > > 62.162.164.116 is in a block assigned to Macedonia, it appears 0 times > > in the Dshield.org database. > > > > Considering that both came from Macedonia, one with a hit on Dshield, I > > would say that yes. It's safe to assume you've been hacked. > > > > If you've noticed, there may have been a lot of activity on port 22, > > with a lot of rejections on the same IP within maybe within a span of 30 > > minutes. Then there's another IP address that scans the next day with > > another set of usernames and passwords. That's been pretty standard for > > about 2 or 3 years now. > > > > So I would figure out if they had any access to boxes on that network as > > well. Putting nologin in /etc/passwd is good, but they may have been > > going on for a while, and that may not be their only avenue of entry. > > > > And when you determine the list of boxes they had entered on your > > network, reformat them and put a fresh install of software on. > > > > And if you did any banking with those boxes, it would be wise to change > > account passwords. As well as any other account you consider > > confidential that you accessed from those machines. > > > > --R > > > > On Sun, 2008-08-03 at 11:20 -0400, Jon wrote: > >> In the last few weeks I poked a hole through my router to SSH into my > >> box at home from the road. > >> > >> I was just scrounging thru the auth.log with `grep 'Accepted password > >> for' ./auth.log* | less` > >> > >> And got this: > >> > >> ./auth.log.0:Jul 28 12:03:39 nichtscheissen sshd[24906]: Accepted > >> password for jon from 216.155.176.39 port 5873 ssh2 > >> ./auth.log.0:Jul 28 13:04:40 nichtscheissen sshd[25857]: Accepted > >> password for jon from 216.155.176.39 port 4689 ssh2 > >> ./auth.log.0:Jul 28 21:41:34 nichtscheissen sshd[1839]: Accepted > >> password for jon from 192.168.1.104 port 40752 ssh2 > >> ./auth.log.0:Jul 28 21:43:27 nichtscheissen sshd[2138]: Accepted > >> password for jon from 192.168.1.104 port 40755 ssh2 > >> ./auth.log.0:Jul 28 21:44:07 nichtscheissen sshd[2155]: Accepted > >> password for jon from 192.168.1.104 port 40757 ssh2 > >> ./auth.log.0:Jul 28 22:01:27 nichtscheissen sshd[2440]: Accepted > >> password for jon from 192.168.1.104 port 43941 ssh2 > >> ./auth.log.0:Jul 28 22:01:50 nichtscheissen sshd[2452]: Accepted > >> password for jon from 192.168.1.104 port 43942 ssh2 > >> ./auth.log.0:Jul 28 22:09:36 nichtscheissen sshd[2726]: Accepted > >> password for jon from 192.168.1.104 port 46126 ssh2 > >> ./auth.log.0:Jul 29 21:17:35 nichtscheissen sshd[18658]: Accepted > >> password for jon from 192.168.1.104 port 42032 ssh2 > >> ./auth.log.0:Jul 31 08:34:03 nichtscheissen sshd[26223]: Accepted > >> password for jon from 216.155.176.39 port 21045 ssh2 > >> ./auth.log.0:Jul 31 08:34:09 nichtscheissen sshd[26227]: Accepted > >> password for jon from 216.155.176.39 port 21283 ssh2 > >> ./auth.log.0:Jul 31 08:38:42 nichtscheissen sshd[26243]: Accepted > >> password for jon from 216.155.176.39 port 20307 ssh2 > >> ./auth.log.0:Jul 31 08:39:21 nichtscheissen sshd[26257]: Accepted > >> password for jon from 216.155.176.39 port 20229 ssh2 > >> ./auth.log.0:Jul 31 08:39:44 nichtscheissen sshd[26262]: Accepted > >> password for jon from 216.155.176.39 port 17171 ssh2 > >> ./auth.log.0:Jul 31 18:13:22 nichtscheissen sshd[6258]: Accepted > >> password for postgres from port 63075 ssh2 > >> ./auth.log.0:Aug 1 03:20:35 nichtscheissen sshd[11115]: Accepted > >> password for postgres from 62.162.164.116 port 1283 ssh2 > >> ./auth.log.0:Aug 1 03:31:04 nichtscheissen sshd[11368]: Accepted > >> password for postgres from 62.162.164.116 port 1685 ssh2 > >> ./auth.log.0:Aug 1 11:04:02 nichtscheissen sshd[18404]: Accepted > >> password for postgres from 62.162.164.116 port 3262 ssh2 > >> ./auth.log.0:Aug 1 13:41:06 nichtscheissen sshd[20845]: Accepted > >> password for postgres from 92.55.82.121 port 64237 ssh2 > >> > >> The logins for me from the 216 address are kosher. Thats me from work. > >> > >> Its the logins for postgres that concern me. > >> > >> What I've done so far is changed the postgres users shell > >> to /usr/sbin/nologin. > >> > >> Any ideas whats going on here? How concerned should I be about these > >> successful logins? > >> > > > > > > _______________________________________________ > > Fwlug mailing list > > [email protected] > > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > _______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
