Re: Have I been hacked?

To: Ian Goodall <ijg@iangoodall.co.uk>
Cc: debian-security@lists.debian.org
Subject: Re: Have I been hacked?
From: "Janus N." Tøndering <janus@bananus.dk>
Date: 07 May 2003 20:05:49 +0200
Message-id: <1052330749.12219.2.camel@apple.bananus.dk>
In-reply-to: <002001c314a5$abbb3d00$c30310ac@EVESHAM>
References: <Pine.LNX.4.44.0305071022170.29676-100000@toutatis.igt.net> <002001c314a5$abbb3d00$c30310ac@EVESHAM>

You can check the fingerprint. Use
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key  (or similar) to print the
fingerprint of your RSA key to the screen. 
If it is '51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d' then your
friend has cached an old key you have used in the past (fx. before a
re-installation).

Hope this helps

Janus Tøndering

On Wed, 2003-05-07 at 16:33, Ian Goodall wrote:
> Thanks for your help Guys.
> 
> It now says this:
> 
> > wtmp begins Wed May  7 13:21:47 2003
> 
> I think that is what had happened. I am new to this and this just looked
> dodgy to me!
> 
> A friend also has ssh shell access to the box and got the following error
> message when connecting to the same my box:
> 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> 
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> 
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> 
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> 
> It is also possible that the RSA host key has just been changed.
> 
> The fingerprint for the RSA key sent by the remote host is
> 
> 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d.
> 
> Please contact your system administrator.
> 
> I don't get this from any other computers so is this just his computer?
> 
> Thanks
> 
> ----- Original Message ----- 
> From: "Eric LeBlanc" <inouk@igt.net>
> To: "Ian Goodall" <ijg@iangoodall.co.uk>
> Cc: <debian-security@lists.debian.org>
> Sent: Wednesday, May 07, 2003 3:23 PM
> Subject: Re: Have I been hacked?
> 
> 
> >
> > Check if your program have rotated the logs...
> >
> > cd /var/log
> >
> > ls -l wtmp*
> >
> > and, check in /etc/cron* or do a crontab -l (in user root)
> >
> >
> > E.
> > --
> > Eric LeBlanc
> > inouk@igt.net
> > --------------------------------------------------
> > UNIX is user friendly.
> > It's just selective about who its friends are.
> > ==================================================
> >
> > On Wed, 7 May 2003, Ian Goodall wrote:
> >
> > > I am running a debian woody server and when I checked the last users
> > > yesterday I a large number of logins in the list. On running the command
> > > today I get the following:
> > >
> > > dev1:/home/ian# last
> > > ian      pts/0        172.16.3.195     Wed May  7 14:49   still logged
> in
> > > team1    pts/0        blue99.ex.ac.uk  Wed May  7 13:21 - 13:57  (00:35)
> > >
> > > I have run chkrootkit but nothing was found.
> > >
> > > I have never had this before. Am I being paranoid or is someone trying
> to
> > > cover up their tracks?
> > >
> > > Thanks
> > >
> > > ijg0
> > >
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> > >
> >
-- 
Janus N. Tøndering <janus@bananus.dk>

Reply to:

References:
- Re: Have I been hacked?
  - From: Eric LeBlanc <inouk@igt.net>
- Re: Have I been hacked?
  - From: "Ian Goodall" <ijg@iangoodall.co.uk>

Prev by Date: Re: Have I been hacked?
Next by Date: Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread