On Tuesday 03 September 2002 22.42, George H. Griffin wrote:
Hello:
This morning I noticed 2 disturbing lines in the xconsole window on my machine (running SuSE 7.3, kernel 2.4.16):
Sep 3 07:00:29 jesse kernel: SuSE-FW-ACCEPTIN=eth0 OUT= MAC=00:e0:29:84:d8:21:00:04:5a:f8:83:13:08:00 SRC=139.142.228.240 DST=192.168.1.101 LEN=40 TOS=0x00 PREC=0x00 TTL=101 ID=31205 PROTO=TCP SPT=22 DPT=22 WINDOW=5805 RES=0x00 SYN URGP=0
Sep 3 07:00:29 jesse kernel: SuSE-FW-ACCEPTIN=eth0 OUT= MAC=00:e0:29:84:d8:21:00:04:5a:f8:83:13:08:00 SRC=139.142.228.240 DST=192.168.1.101 LEN=60 TOS=0x00 PREC=0x00 TTL=41 ID=57211 DF PROTO=TCP SPT=4274 DPT=22 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A093697D60000000001030300)
Someone with ip 139.142.228.240 connected, or tried to connect, to a machine on IP 192.168.1.101 on the ssh port. I assume you've set up some sort of reverse masquerading, since normally I'd expect this to be blocked with the message UNALLOWED-TARGET or similar. Are those IP addresses familiar? Do you have an ssh daemon running? Are there any messages from it in the logs?
When I ran uptime it showed 3 users when there should have only been 2, but I could not find any sign of any unknown users logged in.
Some terminal windows, such as KDE's konsole, open login shells when you run them, so if you have 10 konsole windows open "uptime" will show 10 users logged in. It could also be the result of a user being logged in during a crash. Programs like uptime get their information from the utmp file, which should be updated whenever someone logs in or out. In a crash that may not happen, so a user may show as logged in even though he's not. Of course, it's better to be safe than sorry, so if you have an ssh daemon running and you're concerned that someone may have hacked you, your safest option would be to get the machine off the internet, boot from the rescue CD, or plug the harddrive into a machine that's never been on a network, and run a check against your tripwire database, or whatever security tool you're using. Note that you shouldn't use the "boot installed system" option, since then you're still using the potentially compromised binaries on your system. regards Anders -- 'Deserves [death]. I daresay he does. Many that live deserve death. And some that die deserve life. Can you give it to them? Then do not be too eager to deal out death in judgement. For even the very wise cannot see all ends.' --Tolkien, The Lord of the Rings