[TriLUG] Hacked?

Tom Woods twoods at tomnkim.us
Mon Mar 1 14:34:12 EST 2004


Ok, I'm trying not to panic...  But I may have been hacked.

*History:*
I just upgraded my server from RH9 to Fedora Core 1.  I did an in-place 
upgrade after taking a ghost image of the system.  I highly suspect that 
this is the actual cause of the messages below, but I thought it would 
be wise to run it by the list to see what y'all think...   Just to be 
sure. 

Gdm is accepting remote logins, but only from the local network.  Port 
25, 22 and the IMAPS and https ports are open to the outside.  All 
updates have been applied with the up2date (yum variety) utility.

Upon further consideration, the gdm bad username stuff is probably my 2 
year old pounding on the keyboard when I'm not looking.   Either way, 
I'm still up for input if anyone has any thoughts.

*Suspicious data:*

_Logwatch -- Day Before Yesterday --_

 --------------------- pam_unix Begin ------------------------ 

gdm:
   Unknown Entries:
      bad username [\n6-0]: 1 Time(s)
      bad username [-]: 1 Time(s)
      bad username []: 1 Time(s)
      check pass; user unknown: 11 Time(s)
      bad username [[K;K;[K[KDRUIRFHJJGKGGGGMJ\\\]]]]]]]]]]]]]]]]]]]]]]`1`1`````1````1`1```````````1`1111111111111111111121211kikkmkkkkkkkkikqaaqqaq]: 1 Time(s)
      authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= : 11 Time(s)


 ---------------------- pam_unix End ------------------------- 


_Logwatch -- Yesterday --_

--------------------- Cron Begin ------------------------ 

**Unmatched Entries**
ORPHAN (no passwd entry) 
ORPHAN (no passwd entry) 
ORPHAN (no passwd entry) 
ORPHAN (no passwd entry) 
ORPHAN (no passwd entry) 
ORPHAN (no passwd entry) 

 ---------------------- Cron End ------------------------- 


 --------------------- Init Begin ------------------------ 


**Unmatched Entries**
Trying to re-exec init

 ---------------------- Init End ------------------------- 


 --------------------- ipop3d Begin ------------------------ 


**Unmatched Entries**
   Mailbox vulnerable - directory /var/spool/mail must have 1777 protection: 10 Time(s)

 ---------------------- ipop3d End ------------------------- 





More information about the TriLUG mailing list