Anders Johansson wrote:
On Saturday 27 July 2002 11.59, Joe & Sesil Morris (NTM) wrote:
I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows.
<snip bash_history>
This is what you get when you use mc in a bash shell. Try it. The initial prompt command is to give mc control over the shell, and the cd commands are just that. They cd to various directories.
Thanks Anders and others. You all are correct. The escape sequences were mc's doing. That's a relief.
/dev/console is on your local machine. As far as I know you can't get to it over the net. Do you have your box physically secure?
After looking again at the logs, and comparing them to my box here at home, I guess it wasn't a hack, but an unexplained reboot. I saw the following first: Jul 26 00:35:21 server kernel: klogd 1.4.1, ---------- state change ---------- followed by another reboot at 6:35, ie. Jul 26 06:35:23 server syslogd 1.4.1: restart. In the sequence at 6:35, I noticed an su to root on /dev/console. I guess it is one of the services, not a hacker. It just corresponded with a lot of firewall rejects.
What was in your logfile that made you suspect you had had an intruder?
See above. I will start looking at hardware reasons for the reboot, now that I know the strange codes in root's bash history was made by mc. Thanks much for all of your help, once more... :-) BTW, I have all security patches applied (I just ran YOU again today to make sure). I also checked again, and I do have ports 53, 68, and 123 UDP open, all TCP blocked internet side. At least I will sleep better tonight. Thanks again. -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.
participants (1)
-
Joe & Sesil Morris (NTM)