Hacked?

[lonewarrior]

Hi, I am running the 2.4.20-8 kernel. I was using Ksirc the other day when a guy was able to get hold of my login name to my Linux OS. He said it was a known security vulnerability. I would like to know how did he get through my firewall and into my system. He also said that my system was now 'hacked' how do I check whether my system is truly hacked?

I am not running any servers like Samba etc...

What precautions should I take so that such an incident doesnt occur again?

[jordant]

Often irc clients set your user info on IRC to be the same as the user that you are logged in as. ie: user@yourip when you do a whois. Not always - and I'm not sure about your particular client, but I wouldn't jump to the vulnerability conclusion that fast.

Sorry for the unclear explanation

[theturtle123]

yes by default you irc ident is :
linux_user@youprovider.something.com
in a lot of irc client (xchat, bX, ...)
so anyone running an irc client show his/her login name to IRC... (try /whois someone on #gentoo channel and you'll see what i mean) but if you don't run any servers (sshd/ftpd/...), it is not a security hole...
and if you do run some servers, the guy has to discover your password...
so i think he was just a laughing guy who wanted to make a joke...
to check if someone is trying to attack you, you can use "snort" but i do think i was a joke by a script kiddie

[jordant]

[Suicidal]

For starters 2.4.20-8 is a pretty old kernel are you running redhat there? There have been quite a few security vulnerabilities since then, so it would be hard to figure out which one he used. I would look in your logs for anything unusual.

Im not keen on the vulnerabilities because I dont use any types of IM's but when you fire up network aware programs like that it opens up that port on your firewall so it can communicate with the irc server. And as far as your firerwall it is part of the kernel so if the kernel has vulnerabilities so does your firewall. Best practice is to stay updated.

As far as not letting it happen again subscribe to the security mailing list of whatever distro you are using and always try to use the latest available kernel and packages.

Turn off any unneeded services, use iptables and define your /etc/hosts.allow and hosts.deny as most programs compiled with tcp wrappers will look here not just xinetd services. sshd is one that is good at doing this.

[lonewarrior]

Heh, thankyou all for helping me out =). I just ran a whois on my own name and it gave me my linux login name and ip and a bunch of stuff =P. So I guess that guy was playing a joke on me =P. But I dont understand why doesnt the IRC client tell me that someone has run a whois query on me?

As for using the 2.4 kernel, i have not been able to compile the latest 2.6.4 kernel. I get too many errors when it boots up. The only problem is I dunno how to configure it. Is there some utility which can detect my system h/w and set the appropriate configs for the kernel?

[ikaro]

try to write a short discription of your hardware.
:)
_________________
linux: #232767

[theturtle123]

genkernel is a gentoo util to do a kernel automatically

on irc, anyone can whois anyone... only ircops & servadmins are noticed when a whois is done on them. you can't do anything against this
but on some servers you can do