Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Someone just tried to hack me????
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
TuxeyM
Tux's lil' helper
Tux's lil' helper


Joined: 27 Mar 2007
Posts: 85
PostPosted: Sat Sep 29, 2007 12:40 am    Post subject: Someone just tried to hack me???? Reply with quote
I don't know what is going on, maybe it is a KDE thing or very common, but this really worried me.

I had just turned the comp on, booted the pc, and entered KDE, I started firefox, and visited gentoo.org, when BAM! KDE/X is terminated and brings me back to KDM login.

So I am stressing, and I quickly
Code:
 sudo /etc/init.d/net.eth0 stop
to kill network.

Then, nano /var/log/Xorg.0.log, NOTHING to clue me in. I then hit ctrl+alt+f12, and there I see a string of text that says something about
Code:
authentication failure sudo(pam_unix)[712].

So there is one place to look and I did. /var/log/messages.

Here is what I get....


Code:
Sep 28 17:01:02 H4cKb0x sudo(pam_unix)[475]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:01:03 H4cKb0x (kam-24932): Received signal 15, shutting down cleanly
Sep 28 17:01:03 H4cKb0x (kam-24932): Exiting
Sep 28 17:01:03 H4cKb0x kdm[5255]: X server for display :0 terminated unexpectedly
Sep 28 17:01:03 H4cKb0x kde(pam_unix)[5332]: session closed for user kam
Sep 28 17:02:37 H4cKb0x kde(pam_unix)[525]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=kam
Sep 28 17:02:41 H4cKb0x kde(pam_unix)[525]: session opened for user kam by (uid=0)
Sep 28 17:02:55 H4cKb0x sudo(pam_unix)[712]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:02:58 H4cKb0x sudo(pam_unix)[850]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:01 H4cKb0x sudo(pam_unix)[963]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:04 H4cKb0x sudo(pam_unix)[1063]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:06 H4cKb0x sudo(pam_unix)[1135]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:09 H4cKb0x sudo(pam_unix)[1235]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:09 H4cKb0x passwd(pam_unix)[1108]: authentication failure; logname= uid=1000 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:12 H4cKb0x sudo(pam_unix)[1336]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:14 H4cKb0x sudo(pam_unix)[1407]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:16 H4cKb0x sudo(pam_unix)[1473]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:18 H4cKb0x sudo(pam_unix)[1540]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:21 H4cKb0x sudo(pam_unix)[1640]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:24 H4cKb0x sudo(pam_unix)[1743]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:26 H4cKb0x sudo(pam_unix)[1812]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:28 H4cKb0x sudo(pam_unix)[1875]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:30 H4cKb0x sudo(pam_unix)[1949]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:33 H4cKb0x sudo(pam_unix)[2048]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:36 H4cKb0x sudo(pam_unix)[2148]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:38 H4cKb0x sudo(pam_unix)[2215]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:40 H4cKb0x sudo(pam_unix)[2288]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:42 H4cKb0x sudo(pam_unix)[2352]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:45 H4cKb0x sudo(pam_unix)[2454]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:52 H4cKb0x sudo(pam_unix)[2692]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:55 H4cKb0x sudo(pam_unix)[2793]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:03:58 H4cKb0x sudo(pam_unix)[2897]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:04:00 H4cKb0x sudo(pam_unix)[2963]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:04:02 H4cKb0x sudo(pam_unix)[3035]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:04:03 H4cKb0x sudo(pam_unix)[2940]: authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=  user=kam
Sep 28 17:04:04 H4cKb0x sudo(pam_unix)[3102]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:04:07 H4cKb0x sudo(pam_unix)[3201]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:04:10 H4cKb0x sudo(pam_unix)[3304]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:04:10 H4cKb0x sudo:      kam : TTY=pts/1 ; PWD=/etc/init.d ; USER=root ; COMMAND=/etc/init.d/net.eth0 stop
Sep 28 17:04:11 H4cKb0x dhcpcd[5100]: eth0: received SIGTERM, stopping
Sep 28 17:04:11 H4cKb0x dhcpcd[5100]: eth0: removing default route via 192.168.1.1 metric 0
Sep 28 17:04:11 H4cKb0x dhcpcd[5100]: eth0: deleting IP address 192.168.1.101/24
Sep 28 17:04:11 H4cKb0x dhcpcd[5100]: eth0: exiting
Sep 28 17:04:11 H4cKb0x bridge-eth0: disabling the bridge
Sep 28 17:04:11 H4cKb0x bridge-eth0: down



What happened? Did I get hacked, or did something just go bonkers internally?
Back to top
View user's profile Send private message
TuxeyM
Tux's lil' helper
Tux's lil' helper


Joined: 27 Mar 2007
Posts: 85
PostPosted: Sat Sep 29, 2007 3:28 am    Post subject: Reply with quote
I changed my password and nothing has happened since. Any guesses?
Back to top
View user's profile Send private message
nunne
Apprentice
Apprentice


Joined: 27 May 2004
Posts: 165
Location: Sweden
PostPosted: Sat Sep 29, 2007 9:31 am    Post subject: Reply with quote
I'm pretty sure KDE/X just hung up.
I wont say I'm a KDE master.. I have almost never used it. But I think is relies heavily on sudo for some applications to work. So I'm pretty sure the auth failures invoced by sudo are a result of KDE borking out.

If someone would try to connect to you they would probably be using ssh.. and i would say sshd instead of sudo.

So I wouldn't worry to much about it :)
_________________
>>touch /dev/null
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54821
Location: 56N 3W
PostPosted: Sat Sep 29, 2007 10:40 am    Post subject: Reply with quote
TuxeyM,

This shows your Xorg shutting down and going back to the login.
Code:
Sep 28 17:01:02 H4cKb0x sudo(pam_unix)[475]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=kam
Sep 28 17:01:03 H4cKb0x (kam-24932): Received signal 15, shutting down cleanly
Sep 28 17:01:03 H4cKb0x (kam-24932): Exiting
Sep 28 17:01:03 H4cKb0x kdm[5255]: X server for display :0 terminated unexpectedly
Sep 28 17:01:03 H4cKb0x kde(pam_unix)[5332]: session closed for user kam


Whatever was happening, someone was on the system with username kam.
If that wasn't you, maybe you have a problem.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
TuxeyM
Tux's lil' helper
Tux's lil' helper


Joined: 27 Mar 2007
Posts: 85
PostPosted: Sat Sep 29, 2007 10:57 am    Post subject: Reply with quote
No, that IS my username...

However, why would it give me all those authentication failures?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54821
Location: 56N 3W
PostPosted: Sat Sep 29, 2007 11:13 am    Post subject: Reply with quote
TuxeyM,

Unless you can repeat it, we probably cant investigate further.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy