Been hacked! (NOT confirmed) SOLVED

Btoo · Last edited by Btoo on Wed Sep 14, 2011 8:41 pm; edited 1 time in total

When I got up this morning I checked my system which is a Gentoo x86 hardened router running Arno's Iptables script with an IpSec Vpn and ssh being the only ports open. What I found was these files changed:

Modified:
"/lib/rc/cache/softlevel"
"/lib/rc/console"
"/lib/rc/console/default8x16.psfu.gz"
"/lib/rc/console/font"
"/lib/rc/console/keymap"

I also have a dead.letter file change and need to read that, will post back.

The softlevel file was changed to "shutdown". My question would be could I have triggered something like this, which I doubt or what? Could it be that a reboot caused the file changes? I have emerged a couple of programs without a reboot...Also, I was having issues with the system yesterday which seemed to be DNS related, slow or lost connections, intermittently happening (why I rebooted the system).
The firewall was set up to stop brute force attacks, but I did have a non-privileged user with ssh password access on a non-standard port.

Any help or insight would be appreciated!!

chiefbag · Guru Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom

Check your logs for signs of entry from ssh for a start.

mikegpitt · Advocate Joined: 22 May 2004 Posts: 3224

I believe all the files you mentioned are re-created upon a fresh boot, so IMHO changes to those files alone wouldn't signify a compromised system.

If you believe your system is compromised, I would re-emerge rkhunter, and run it to check for any rootkits. I would also look through your last logs and /var/log/messages to see if there is anything abnormal in there. If an attacker compromised your system, the logs could have been tampered with... but a lot of attacks are automated and unsophisticated, meaning they have no care to cover their tracks.

Another thing you could do if you are still unconvinced is to re-emerge tcpdump, and run it for a while to see if there are is any unusual network activity (preferably during a time when you aren't really using the network, so you can sort through the logs easier).

Btoo · Posted: Wed Sep 14, 2011 8:40 pm Post subject:

Thanks for the replies,
I checked the logs and they were clean, never even pinged from the same address twice. I checked the filesystem with rkhunter and the system was good. The dead.letter was simply updated with new log data that I have written to it from Psad. I need to read up on rc as I have never paid much attention to it, therefore my miss-understanding of what is going on there.

Thanks again!

jowr · n00b Joined: 27 Dec 2008 Posts: 52

If nothing else, configure your cron daemon correctly so it doesn't crap cron output into dead.letter.

That you don't know what dead.letter is, but were worried about being hacked without even examining file contents, concerns me slightly.

chiefbag · Guru Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom

If you put the following at the top of your crontab it should prevent it outputting to mail.

Btoo · Posted: Thu Sep 15, 2011 1:57 pm Post subject:

Thanks for the input, but I do know what dead.letter is. Cron is not involved, the dead.letter change was added by net-firewall/psad. Possibly the DNS/connectivity issues I was having caused a low level alert to be posted in dead.letter. I will have to look at that again to see.