[ale] Have I been hacked?

Michael B. Trausch mike at trausch.us
Thu Jan 8 20:40:43 EST 2009


On Thu, 8 Jan 2009 20:14:07 -0500
Mark Wright <mark_wright at bellsouth.net> wrote:

> Has someone hacked my box and changed the password?  Specifically,  
> before I reset the password and go on as if nothing happened, how
> can I tell?
> 
> Thanks for your thoughts.

If you left VNC open, I'd check your command history.  Check also your
system logs, and check your files for modification times which seem
wrong.  Check the process list for anything that looks unfamiliar to
you that would have been started since you last used your password.
Check your netstat list to see what network ports are in use and see if
there is anything in that list which you cannot account for.  Check
these things on other machines on your home network which are reachable
from your system, as well.

Do keep in mind that one of two things would have been required to
change your password:  (1) root access to the box, or (2) your current
password (note that I am assuming a reasonably sane PAM configuration
that doesn't permit you to change your password without first
supplying your current one). If someone got #2, and you have sudo
privileges, then they probably got #1 also, and someone who is
sufficiently learned on UNIX-like systems will be able to cover their
tracks pretty well if they get root access to your box. The only truly
safe option is to audit your ${HOME} and reinstall the system if you
suspect that you have been compromised in some way---well, that is,
it's the only truly safe option if you don't have signatures of your
files tucked away somewhere so that you can verify all of their
contents.  I don't know about your system, but on my system there are
over half a million files between my ${HOME} and /usr---there is simply
no way that I could verify them manually.

Essentially, if you can't be sure one way or another, reinstall the
system and start with a clean ${HOME}---or at least, keep your data,
and throw away any software in ${HOME} that you are unable to audit and
rebuild it.

	--- Mike

-- 
My sigfile ran away and is on hiatus.
http://www.trausch.us/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://mail.ale.org/pipermail/ale/attachments/20090108/66e8e7b9/attachment-0001.bin 


More information about the Ale mailing list