[ale] Have I been hacked?

Thu Jan 8 21:44:14 EST 2009

Be aware that VNC doesn't encrypt your IP traffic, so everything you
do via VNC can be seen by others on the same network(s).

-Jim P.

On 2009-01-08, Mark Wright <mark_wright at bellsouth.net> wrote:
>
> On Jan 8, 2009, at 8:40 PM, Michael B. Trausch wrote:
>
>> On Thu, 8 Jan 2009 20:14:07 -0500
>> Mark Wright <mark_wright at bellsouth.net> wrote:
>>
>>> Has someone hacked my box and changed the password?  Specifically,
>>> before I reset the password and go on as if nothing happened, how
>>> can I tell?
>>>
>>> Thanks for your thoughts.
>>
>> If you left VNC open, I'd check your command history.  Check also your
>> system logs, and check your files for modification times which seem
>> wrong.  Check the process list for anything that looks unfamiliar to
>> you that would have been started since you last used your password.
>> Check your netstat list to see what network ports are in use and
>> see if
>> there is anything in that list which you cannot account for.  Check
>> these things on other machines on your home network which are
>> reachable
>> from your system, as well.
>>
>> Do keep in mind that one of two things would have been required to
>> change your password:  (1) root access to the box, or (2) your current
>> password (note that I am assuming a reasonably sane PAM configuration
>> that doesn't permit you to change your password without first
>> supplying your current one). If someone got #2, and you have sudo
>> privileges, then they probably got #1 also, and someone who is
>> sufficiently learned on UNIX-like systems will be able to cover their
>> tracks pretty well if they get root access to your box. The only truly
>> safe option is to audit your ${HOME} and reinstall the system if you
>> suspect that you have been compromised in some way---well, that is,
>> it's the only truly safe option if you don't have signatures of your
>> files tucked away somewhere so that you can verify all of their
>> contents.  I don't know about your system, but on my system there are
>> over half a million files between my ${HOME} and /usr---there is
>> simply
>> no way that I could verify them manually.
>>
>> Essentially, if you can't be sure one way or another, reinstall the
>> system and start with a clean ${HOME}---or at least, keep your data,
>> and throw away any software in ${HOME} that you are unable to audit
>> and
>> rebuild it.
>>
>> 	--- Mike
>>
>
> Thanks Mike,
>
> I had looked in /var/log/auth.log  and found an entry at 7:30 this
> morning that I don't understand.  I am still worried by what I see in
> this log even though I just solved the password problem.
>
> As I stated in the original post I was using VNC from an iPod to get
> into the box.  Well obviously it has whacked my keyboard.  No matter
> what I do I can't get a number out of it.  My password has lots of
> numbers.  No matter what I try I get ()&^%$.  So I patiently cut and
> pasted numbers from a text document to write out my password and then
> pasted that into the password field for the package manager.  It
> worked fine, proving my password has not been changed.  I've just
> lost the ability to type numbers.
>
> A quick restart fixed the keyboard.  My remaining question is does
> the entry in /var/log/auth.log indicate trouble?  It shows some
> authorization action involving my userid at 7:30 this morning while I
> was on the road to Norcross.  I don't know if this normal.
>
> See the log below.
>
> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ;
> USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/
> use_http_proxy
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session
> opened for user mark by (uid=0)
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session
> closed for user mark
> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ;
> USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/host
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session
> opened for user mark by (uid=0)
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session
> closed for user mark
> Jan  7 07:35:02 Gateway-Ubuntu sudo:     root : TTY=unknown ; PWD=/ ;
> USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/port
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session
> opened for user mark by (uid=0)
> Jan  7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session
> closed for user mark
>
>