Results 1 to 6 of 6
  1. #1
    Join Date
    Jun 2002
    Posts
    135

    Linux Box Hacked? - How to tell?

    Good day all, solid work on this forum btw. Okay...

    I got an email in my account the other day that said:

    ALERT - Root Shell Access on: Fri Dec 3 15:22:33 SGT 2004

    Normally when I log in root from office the message is:

    ALERT - Root Shell Access on: Fri Dec 3 15:22:33 SGT 2004
    from IP ADSL-AOL.231.232.123.34

    so it was funny when the message I got had no IP address (meaning a user access perhaps?)

    I went in via SSH Putty to check and in the /var/log directory I realised that all the messages, secure and other log file sizes were set to zero. Furthermore a chunk was missing out of the httpd log.

    Is there a simple way to check whether I am compromised? I will be willing to share as much information as I can from my Linux box to help and hopefully this thread can help other newbies.

    I have already run chkrootkit but it detected nothing except that a warning that the mysql log was zero (perhaps it was a log wiper?)

    Lastly I consider myself a Linux intermediate, having experience in Cobalt Raqs and RH before moving to the current box which is installed with Trustix.

    Thanks in advance! - Troff

  2. #2
    Join Date
    Jun 2002
    Posts
    135
    Okay after a second search I found the following thread 'Have I been hacked?'

    http://www.webhostingtalk.com/showth...nux+box+hacked

    I HAVE gone through it first and results are that nothing turned up so far. Apologies for the rushed thread (will search more thoroughly next time... the search button was by default threads in 'past month')

    Any expert can help with regards to the zeroed log files?
    Last edited by troff; 12-12-2004 at 10:20 PM.

  3. #3
    Join Date
    Mar 2004
    Location
    England
    Posts
    819
    What does your .bash_history have in it?

    Andrew
    NetHosted - UK based hosting solutions.

  4. #4
    Join Date
    Jun 2002
    Posts
    135
    I've taken a look in /root/.bash_history and I can safely say there's nothing there that wasn't done by me (before Dec 1st). Neither is there anything strange.

    The stuff there is basically the instructions I followed in the thread in the previous post about how to check for compromised directories.

    Do you want me to paste the directory structure? And perhaps some of the httpd logs? You might find them interesting.

    BTW after I restarted the server, the computer started to start logging again to secure, messages, etc.

    Lucky I backed up the /var/log file before I rebooted.

    These are from the backup I made on my PC. Take a look at the following, notice how at Dec 1 a lot of the important log files like secure, messages, ntplog etc are set to file size zero!!!!

    Directory of E:\linux\backup-hacked\var\log

    12/12/2004 02:02a ______2,627,428 aide.log
    12/12/2004 08:46p <DIR> auth
    12/01/2004 02:02a 0 boot.log
    12/01/2004 02:02a __________1,748 boot.log.1.gz
    11/01/2004 02:02a __________3,637 boot.log.2.gz
    10/01/2004 02:02a __________8,863 boot.log.3.gz
    09/01/2004 12:02a _________24,856 boot.log.4.gz
    12/12/2004 08:46p <DIR> clamav
    12/12/2004 03:22a __________9,462 clamav-scan.log
    12/12/2004 03:22a __________9,825 clamav-update.log
    12/12/2004 08:46p <DIR> cron
    12/12/2004 08:46p <DIR> daemon
    11/01/2004 11:41a _________21,264 dmesg
    12/12/2004 08:46p <DIR> httpd
    12/12/2004 08:46p <DIR> imapd
    12/12/2004 08:46p <DIR> kernel
    11/01/2004 11:41a _________53,525 ksyms.0
    10/11/2004 10:44a _________53,525 ksyms.1
    10/11/2004 10:31a _________53,525 ksyms.2
    10/01/2004 06:13p _________53,525 ksyms.3
    09/15/2004 11:30a _________53,525 ksyms.4
    09/10/2004 08:14p _________53,525 ksyms.5
    09/10/2004 08:00p _________53,525 ksyms.6
    12/12/2004 08:05p ____________292 lastlog
    12/01/2004 02:02a _____________64 lastlog.1.gz
    12/12/2004 08:46p <DIR> mail
    12/01/2004 02:02a ______________0 messages
    12/01/2004 02:02a _________10,701 messages.1.gz
    11/01/2004 02:02a _________25,119 messages.2.gz
    10/01/2004 02:02a _________33,143 messages.3.gz
    09/01/2004 12:02a ________214,895 messages.4.gz
    12/12/2004 08:46p <DIR> named
    09/05/2004 01:15a ______________0 ntp.log
    09/05/2004 06:06p ____________539 ntpd2.log
    12/12/2004 02:03a __________7,730 ntpdate.log
    12/12/2004 08:46p <DIR> openldap
    03/18/2004 09:14a ______________0 pacct
    04/30/2004 08:10p ______________0 proftpd
    12/12/2004 02:03a __________6,664 rpmpkgs
    12/12/2004 02:02a __________1,913 rpmpkgs.1.gz
    10/10/2004 02:02a __________1,913 rpmpkgs.10.gz
    10/03/2004 02:02a __________1,913 rpmpkgs.11.gz
    09/26/2004 02:02a __________1,896 rpmpkgs.12.gz
    12/05/2004 02:02a __________1,913 rpmpkgs.2.gz
    12/12/2004 08:46p <DIR> sa
    03/18/2004 09:14a ______________0 savacct
    12/01/2004 02:02a ______________0 secure
    12/01/2004 02:02a _____________68 secure.1.gz
    11/01/2004 02:02a ____________226 secure.2.gz
    10/01/2004 02:02a ____________832 secure.3.gz
    09/01/2004 12:02a ___________1,032 secure.4.gz
    08/12/2004 05:29a ______________0 spooler
    12/12/2004 08:46p <DIR> swup
    12/12/2004 08:46p <DIR> system
    12/12/2004 06:02a ____________146 test-crontabe.log
    11/05/2004 11:02a _______1,282,215 ulogd-shorewall-20041105.log
    12/12/2004 08:30p _______2,076,548 ulogd-shorewall.log
    03/18/2004 09:14a ______________0 usracct
    12/12/2004 08:05p ____________384 wtmp
    12/01/2004 02:02a ____________822 wtmp.1.gz
    Last edited by troff; 12-13-2004 at 01:20 AM.

  5. #5
    Join Date
    Nov 2003
    Location
    Canada
    Posts
    881
    It may not mean you were hacked. Logs are rotated (I think thats the term they use). By the looks of it this happens every month on your system. So you can get the last months logs in the logfile.1.gz (replacing logfile with the logname).

    Although they should not have been empty on the 3rd, and if they where then either your server was locked up from the first to the third or someone intentionally cleaned the logs out.

  6. #6
    Join Date
    Jun 2002
    Posts
    135
    Hmm u2mike you may have something there.... let me check the httpd logs for something then. I will also check the previous month's secure and messages files to see when the last time of entry was...

    If so I think I need a BIG FAT SLAP in the head

    (Update)
    u2mike I am quite sure they were empty on the 3rd. But the issue is that the server must have had a reason to write to the logfile (on the 1st and 2nd) and I'm still looking for that reason... will keep you posted. But I am quite sure the logs were still zero on the 3rd and did not start writing until I rebooted the server.

    In addition I can find no trace of the root login (see first post) as emailed to me while I can see my own entries into the system.... For example in the auth files, I can only see this recent entry (other one is in November) and none from Dec 3rd:

    Dec 13 09:57:08 server sshd[1970]: Accepted password for root from 123.123.123.123 port 1993 ssh2

    Am gonna install rkhunter soon (heard it is better than chkrootkit).
    Last edited by troff; 12-13-2004 at 01:35 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •