I received the 1st message in my daily logwatch file. Have I been hacked? The IP is very close to my own. Normally I get an email when someone logins as root, but not this time. No one is on the server but me. How can I check? Plus, in my logwatch this morning, I received the 2nd message at bottom. Again no email about anyone logging in as root. I thought I had my server set up to where you had to login as root after admin. I banned the 2 IPs from my server. Please advise. Thanks.
1st message:
Users logging in through sshd:
myuserid logged in from balin.visn.co.uk (69.57.146.32) using password: 1 Times(s)
**Unmatched Entries**
Bad protocol version identification '' from 69.57.146.32
2nd message:
Users logging in through sshd:
myuserid logged in from 66.216.68.206 using password: 1 Times(s)
Full Version: Have I been hacked?
Greetings:
This just means they logged in.
Do you have tripwire or a similar tool installed that shows you file system changes?
Does chkrootkit or rkhunter show any root kits installed?
Thank you.
This just means they logged in.
Do you have tripwire or a similar tool installed that shows you file system changes?
Does chkrootkit or rkhunter show any root kits installed?
Thank you.
chkrootkit shows nothing out of the ordinary that I see except the line below.
"eth0 is not promisc"
And under
"Searching for suspicious files and dirs, it may take a while..."
there are a lot of files listed. This list seems longer than normal.
No, I do not have Tripwire installed but will get a copy. I don't know how these people were able to login, though. Where would they get the password? Thanks for your help and reply.
"eth0 is not promisc"
And under
"Searching for suspicious files and dirs, it may take a while..."
there are a lot of files listed. This list seems longer than normal.
No, I do not have Tripwire installed but will get a copy. I don't know how these people were able to login, though. Where would they get the password? Thanks for your help and reply.
Here is the list of suspicious files that chkrootkit reports. Anything that you might suspect that could have been installed. Thanks again.
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.1/i386-linux/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/CPAN/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/Test/Harness/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/CGI/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/Cwd/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/CPAN/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Storable/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Time/HiRes/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/CGI/.packlist /usr/lib/perl5/5.6.1/i686-linux/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Digest/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Data/Dumper/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Storable/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/List/Util/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQV5CD/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQV5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQ/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/CPAN/WAIT/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/Balanced/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Curses/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Apache/Filter/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Apache/Mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Data/Dumper/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MD5/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
/usr/lib/php/.registry
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.1/i386-linux/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/CPAN/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/Test/Harness/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/CGI/.packlist /usr/lib/perl5/5.6.1/i386-linux/auto/Cwd/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/CPAN/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Storable/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Time/HiRes/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/CGI/.packlist /usr/lib/perl5/5.6.1/i686-linux/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Digest/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Data/Dumper/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Storable/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/List/Util/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQV5CD/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQV5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQ/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/CPAN/WAIT/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/Balanced/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Curses/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Apache/Filter/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Apache/Mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Data/Dumper/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MD5/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
/usr/lib/php/.registry
all looks ok, su to that ID and check the 'history' to see what they were up to. Then ensure both rootkithunter and chkrootkit run daily, rootkit hunter does a hash of all your files and will tell you if any change.
Both below talk about setting them up to run and email you the results...
Chkrootkit
Rootkithunter
Daily Cron is the same logic for both, also consider APF, KISS my Firewall or others, and watch you log files
Both below talk about setting them up to run and email you the results...
Chkrootkit
Rootkithunter
Daily Cron is the same logic for both, also consider APF, KISS my Firewall or others, and watch you log files
QUOTE
wstahlhut
all looks ok, su to that ID and check the 'history' to see what they were up to. Then ensure both rootkithunter and chkrootkit run daily, rootkit hunter does a hash of all your files and will tell you if any change.
all looks ok, su to that ID and check the 'history' to see what they were up to. Then ensure both rootkithunter and chkrootkit run daily, rootkit hunter does a hash of all your files and will tell you if any change.
Here's the history for one of my sites. The other site's history is below this one. Thanks for your help.
1 su -
2 ls
3 ls -l
4 cd public_html
5 ls
6 cd /
7 ls
8 cd /home
9 ls
10 cd admin
11 ls
12 cd /
13 ls
14 cd etc
15 ls
16 locate httpd.conf
17 update db
18 updatedb
19 pico ypserv.conf
20 ls
21 pico yp.conf
22 pico yp.conf
23 ls
24 edit rc
25 pico rc
26 chkconfig --list
27 mail
28 su -
29 ls
30 cd mail
31 ls
32 mail
33 su -
34 su -
Here's the history for the other one.
1 uptime
2 who
3 /usr/local/apache/domlogs/mysite.com
4 vi /usr/local/apache/domlogs/mysite.com
5 su -
6 ls
7 cd www
8 ls
9 cd songs
10 ls
11 cd tmp
12 pico /etc/exim.conf
13 pico /etc/exim.conf
14 su -
15 cd /
16 ls
17 cd home2
18 ls
19 cd lib
20 cd etc
21 cd home2
22 ls
23 pwd
24 cd root
25 ls -l
someone is up to no good, unless they changed the config files they were collecting data for a fullout attack on the box later. If they are tied to sites delete the sites, or atleast change/set passwords on them. No wgets or lynx downloads, thats a good sign. At this point it a 50/50 call but my guess would be that the server is ok. did you check root's history also? if so, anything you do not know listed there? I would also add both IPs to my firewall or atleast to host.deny. I have used APF and would suggest it for an ensim server any day as its a well written script
Actually, they never logged in as root. Just on two of my sites as users. I think I will change it so no one can log in through SSH. It's only me and I can log in as root.
The history as root looks uncompromised. Thanks again for your help.
The history as root looks uncompromised. Thanks again for your help.
Yeah man, that's not looking like friendly activity. You sure none of those superuser commands succeeded?
Regardless, it seems very possible that sombody located at your same ISP is sniffing. Are you using SSH protocol 2 only?
I would contact whoever is in charge of the IPs he/she logged in from...from what you said it's probably your ISP. This person isn't too clever. Probably the nextdoor neighbor kid
Regardless, it seems very possible that sombody located at your same ISP is sniffing. Are you using SSH protocol 2 only?
I would contact whoever is in charge of the IPs he/she logged in from...from what you said it's probably your ISP. This person isn't too clever. Probably the nextdoor neighbor kid
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.