[ale] Have I been hacked?

Mark Wright mark_wright at bellsouth.net
Thu Jan 8 21:11:14 EST 2009


On Jan 8, 2009, at 8:40 PM, Michael B. Trausch wrote:

> On Thu, 8 Jan 2009 20:14:07 -0500
> Mark Wright <mark_wright at bellsouth.net> wrote:
>
>> Has someone hacked my box and changed the password?  Specifically,
>> before I reset the password and go on as if nothing happened, how
>> can I tell?
>>
>> Thanks for your thoughts.
>
> If you left VNC open, I'd check your command history.  Check also your
> system logs, and check your files for modification times which seem
> wrong.  Check the process list for anything that looks unfamiliar to
> you that would have been started since you last used your password.
> Check your netstat list to see what network ports are in use and  
> see if
> there is anything in that list which you cannot account for.  Check
> these things on other machines on your home network which are  
> reachable
> from your system, as well.
>
> Do keep in mind that one of two things would have been required to
> change your password:  (1) root access to the box, or (2) your current
> password (note that I am assuming a reasonably sane PAM configuration
> that doesn't permit you to change your password without first
> supplying your current one). If someone got #2, and you have sudo
> privileges, then they probably got #1 also, and someone who is
> sufficiently learned on UNIX-like systems will be able to cover their
> tracks pretty well if they get root access to your box. The only truly
> safe option is to audit your ${HOME} and reinstall the system if you
> suspect that you have been compromised in some way---well, that is,
> it's the only truly safe option if you don't have signatures of your
> files tucked away somewhere so that you can verify all of their
> contents.  I don't know about your system, but on my system there are
> over half a million files between my ${HOME} and /usr---there is  
> simply
> no way that I could verify them manually.
>
> Essentially, if you can't be sure one way or another, reinstall the
> system and start with a clean ${HOME}---or at least, keep your data,
> and throw away any software in ${HOME} that you are unable to audit  
> and
> rebuild it.
>
> 	--- Mike
>

Thanks Mike,

I had looked in /var/log/auth.log  and found an entry at 7:30 this  
morning that I don't understand.  I am still worried by what I see in  
this log even though I just solved the password problem.

As I stated in the original post I was using VNC from an iPod to get  
into the box.  Well obviously it has whacked my keyboard.  No matter  
what I do I can't get a number out of it.  My password has lots of  
numbers.  No matter what I try I get ()&^%$.  So I patiently cut and  
pasted numbers from a text document to write out my password and then  
pasted that into the password field for the package manager.  It  
worked fine, proving my password has not been changed.  I've just  
lost the ability to type numbers.

A quick restart fixed the keyboard.  My remaining question is does  
the entry in /var/log/auth.log indicate trouble?  It shows some  
authorization action involving my userid at 7:30 this morning while I  
was on the road to Norcross.  I don't know if this normal.

See the log below.

Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ;  
USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/ 
use_http_proxy
Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session  
opened for user mark by (uid=0)
Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session  
closed for user mark
Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ;  
USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/host
Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session  
opened for user mark by (uid=0)
Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session  
closed for user mark
Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ;  
USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/port
Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session  
opened for user mark by (uid=0)
Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session  
closed for user mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090108/adbe2809/attachment.html 


More information about the Ale mailing list