| View previous topic :: View next topic |
| Author |
Message |
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
 Posted: Tue Oct 21, 2003 7:43 am Post subject: does this mean i've been hacked? |
 |
|
this was in /var/log/critical/
| Code: | Oct 9 06:32:06 [login(pam_unix)] check pass; user unknown
Oct 9 16:51:50 [login(pam_unix)] check pass; user unknown
|
this was in /var/log/telnet/
| Code: | Oct 9 16:51:53 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR UNKNOWN, Authentication failure
Oct 10 04:16:00 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR converged, Authentication failure
Oct 10 04:16:00 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR converged, Authentication failure
Oct 10 04:28:12 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR converged, Authentication failure
Oct 10 04:28:12 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR converged, Authentication failure
|
this says that someone's telnet attempt failed, but i didn't think i was running telnet at all, so it's a lil suspicious. besides, if someone got root access, they would doctor all my logs anyway, right?
When i installed gentoo, during the adsl-setup script, i used option "1" security settings (appropriate for a stand alone computer). do i as a private user need more security than that? |
|
| Back to top |
|
 |
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Tue Oct 21, 2003 8:14 am Post subject: |
|
|
| I think you're using metalog, and metalog places messages from login in the telnet folder but that doesn't mean you're running telnet. Try connecting via telnet from another machine to see if your telnet port is open. |
|
| Back to top |
|
|
nephros
Advocate
Joined: 07 Feb 2003
Posts: 2139
Location: Graz, Austria (Europe - no kangaroos.)
|
| Posted: Tue Oct 21, 2003 8:15 am Post subject: |
|
|
/dev/vc/1 is your local virtual console.
So unless the logs have been tampered with I don't think this indicates a remote compromise.
_________________
Please put [SOLVED] in your topic if you are a moron. |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Tue Oct 21, 2003 8:54 am Post subject: |
|
|
| fleed wrote: | | I think you're using metalog, and metalog places messages from login in the telnet folder but that doesn't mean you're running telnet. Try connecting via telnet from another machine to see if your telnet port is open. |
you are right. I am using metalog. that would explain everything. i was just surprised to find a telnet log at all. i can't get on another person's box at the moment (i have no friends) but wouldn't telnetd show up with a ps -A? Besides, you've solved the problem anyway.
| nephros wrote: | /dev/vc/1 is your local virtual console.
So unless the logs have been tampered with I don't think this indicates a remote compromise. |
thank you mr kidney. I was hoping someone would tell me that was just a local virtual console!
I guess there is no problem yet guys, so i don't have to be so paraonoid at the moment. however, do u believe that it is necassary for a private home internet user to use iptables, or some other firewall software? is gentoo's default setup secure enough? |
|
| Back to top |
|
|
really
Guru
Joined: 27 Aug 2002
Posts: 430
Location: nowhere
|
| Posted: Tue Oct 21, 2003 3:49 pm Post subject: |
|
|
i whould use iptables.. you dont notice any perfocmance bloat or anything, it just provides some security, and you can use it to nat..
_________________
NoManNoProblem
Get lost before you get shot. |
|
| Back to top |
|
|
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Wed Oct 22, 2003 9:24 am Post subject: |
|
|
You could find which ports are open through a remote security testing site such as grc.com or broadbandreports.com. Those should test your ports and tell you which ones are accepting connections.
To find which ports your box has open, run "netstat -a | grep LISTENING". The problem with that is if you've been chrooted the evildoer might have replaced netstat with one that doesn't show you his port, so remote probing is safer. |
|
| Back to top |
|
|
really
Guru
Joined: 27 Aug 2002
Posts: 430
Location: nowhere
|
| Posted: Wed Oct 22, 2003 3:01 pm Post subject: |
|
|
| fleed wrote: | You could find which ports are open through a remote security testing site such as grc.com or broadbandreports.com. Those should test your ports and tell you which ones are accepting connections.
To find which ports your box has open, run "netstat -a | grep LISTENING". The problem with that is if you've been chrooted the evildoer might have replaced netstat with one that doesn't show you his port, so remote probing is safer. |
yes do a remote probing to..
but |grep LISTENING i not needed 
do a netstat -anp -tcp instead
or netstat -anp -udp
it might be that the "hacker" is already connected and the connection is etablished then grepping for LISTENING wont list it
_________________
NoManNoProblem
Get lost before you get shot. |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Wed Oct 22, 2003 11:48 pm Post subject: |
|
|
I went to grc.com and did the remote probe. Everything came out ok, kinda, my ports were closed, but they were detectable. I don't think i have been hacked. Metalog's habit of putting stuff in the telnet directory just caused me to panic.
I think i'm going to install shorewall. Gentoo's security guide suggested however that a bad firewall implementation is worse than non firewall, and it says to "consider if you really need one". which to me suggests that they are discouraging the average user from getting one. I dunno, i'll try it out. i really can't see how it could hurt. I'll probly learn a few things on the way.
thanks for all of your help.  |
|
| Back to top |
|
|
|
Networking & Security
