Have I been hacked?
Hallo, I found user "nobody" performing a "find" on my linux box few days ago. In the /home section of the filesystem I found a subdirectory "httpd" which I did not create. The "httpd" directory itself contained a subfolder, "bin-cgi". I didn't find any other changes. The linux machine runs IPTABLES with open ports for SSH, HTTP and HTTPs. Connection is via pppd. I'm still a "newbie" to security. I would appreciate any key words and explanations to find out if I've been hacked, how this has been achieved and how it can be avoided in the future. Thank you very much in advance. Regards, Hans Körber
Hans Körber wrote:
Hallo,
I found user "nobody" performing a "find" on my linux box few days ago.
In the /home section of the filesystem I found a subdirectory "httpd" which I did not create. The "httpd" directory itself contained a subfolder, "bin-cgi". I didn't find any other changes.
The linux machine runs IPTABLES with open ports for SSH, HTTP and HTTPs. Connection is via pppd.
kernel and patches version ? iptables version ? ssh type & version ? http server & version ? was the box properly hardened and are you sure no other ports were listening when you installed ? hth andre
On December 1, 2001 06:33 am, Hans Körber wrote:
Hallo,
I found user "nobody" performing a "find" on my linux box few days ago.
Thats normal.
In the /home section of the filesystem I found a subdirectory "httpd" which I did not create. The "httpd" directory itself contained a subfolder, "bin-cgi". I didn't find any other changes.
I don't know about this one. Nick
On Saturday 01 December 2001 05:53 am, Nick Zentena wrote:
On December 1, 2001 06:33 am, Hans Körber wrote:
Hallo,
I found user "nobody" performing a "find" on my linux box few days ago.
Thats normal.
In the /home section of the filesystem I found a subdirectory "httpd" which I did not create. The "httpd" directory itself contained a subfolder, "bin-cgi". I didn't find any other changes.
I don't know about this one.
Thats normal too if you selected to install the web server. Its the home directory of the web. -- _________________________________ John Andersen / Juneau Alaska
[ I managed to delete the original message, so I'm replying here ] On Sat, Dec 01, 2001 at 09:53 -0500, Nick Zentena wrote:
On December 1, 2001 06:33 am, Hans Körber wrote:
Hallo,
I found user "nobody" performing a "find" on my linux box few days ago.
Can you look at the ps(1) manpage and look up its -f option? Or can you be bothered to work with the pstree(1) command? This looks like one of the regular cron jobs running in the early morning or whenever your cron ticks again (ISTR SuSE put some logic in to "catch up" with missed jobs since more and more people don't have their UNIX boxes running 24/7, plus cannot be bothered to switch to fcron :).
In the /home section of the filesystem I found a subdirectory "httpd" which I did not create. The "httpd" directory itself contained a subfolder, "bin-cgi". I didn't find any other changes.
It's not so much about security. It's more that you should get familiar with the usual administrator's tools. Use rpm(1) -- at the command line or by means of one of the numerous frontends -- to learn where the files come from. Only if you didn't install the appropriate package yourself or the checksum doesn't fit any longer on non config files you should be concerned. Try something along the lines of "rpm -qi -f /home/httpd" and maybe look at the "rpm -ql" output then. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (5)
-
andre@do
-
Gerhard Sittig
-
Hans Körber
-
John Andersen
-
Nick Zentena