intrusione?

To: debian-italian <debian-italian@lists.debian.org>
Subject: intrusione?
From: Pietro Giorgianni <giorgian@gmail.com>
Date: Tue, 23 Mar 2010 18:18:28 +0100
Message-id: <[🔎] 50177d451003231018r23b3c91aj9c981e70bcac71f1@mail.gmail.com>

salve a tutt,

ieri sera ho lasciato il pc acceso e non l'ho più toccato dalle 23:40 in poi.

Stamattina ho acceso il monitor e, invece di vedere sessione di kde
che avevo lasciato, avevo davanti la schermata di login di kdm.

Ho fatto il login e si è ripristinata la sessione, solo che la
finestra di firefox si intitolava iceweasel, anziché Namoroka (ho
ricompilato per amd64 il sorgente della 3.6, visto che loro non
distribuiscono - pare - binari 64), però graficamente non poteva
essere iceweasel, visto che c'era persona.

Ho dato un'occhiata ai log; questo è ciò che contiene auth.log (le
ultime due righe sono io che faccio il login):

Mar 23 03:55:57 debian su[1467]: Successful su for giorgian by root
Mar 23 03:55:57 debian su[1467]: + ??? root:giorgian
Mar 23 03:55:57 debian su[1467]: pam_unix(su:session): session opened
for user giorgian by (uid=0)
Mar 23 03:55:57 debian su[1467]: pam_unix(su:session): session closed
for user giorgian
Mar 23 03:56:37 debian kdm: :0[31186]: pam_unix(kdm:session): session
closed for user giorgian
Mar 23 04:17:01 debian CRON[1551]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 23 04:17:01 debian CRON[1551]: pam_unix(cron:session): session
closed for user root
Mar 23 05:17:01 debian CRON[1571]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 23 05:17:01 debian CRON[1571]: pam_unix(cron:session): session
closed for user root
Mar 23 06:17:01 debian CRON[1591]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 23 06:17:01 debian CRON[1591]: pam_unix(cron:session): session
closed for user root
Mar 23 06:25:01 debian CRON[1607]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 23 06:25:01 debian CRON[1607]: pam_unix(cron:session): session
closed for user root
Mar 23 07:17:01 debian CRON[1627]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 23 07:17:01 debian CRON[1627]: pam_unix(cron:session): session
closed for user root
Mar 23 07:23:14 debian kdm: :0[1532]: pam_unix(kdm:session): session
opened for user giorgian by (uid=0)
Mar 23 07:23:14 debian kdm: :0[1532]: pam_ck_connector(kdm:session):
nox11 mode, ignoring PAM_TTY :0

syslog contiene:

Mar 23 03:17:01 debian /USR/SBIN/CRON[1238]: (root) CMD (   cd / &&
run-parts --report /etc/cron.hourly)
Mar 23 03:56:38 debian acpid: client 31153[0:0] has disconnected
Mar 23 03:56:38 debian acpid: client 31153[0:0] has disconnected
Mar 23 03:56:38 debian acpid: client connected from 31153[0:0]
Mar 23 03:56:38 debian acpid: 1 client rule loaded
Mar 23 03:56:38 debian acpid: client connected from 31153[0:0]
Mar 23 03:56:38 debian acpid: 1 client rule loaded
Mar 23 03:56:39 debian kdm_greet[1539]: Cannot load
/usr/share/kde4/apps/kdm/faces/.default.face: No such file or
directory
Mar 23 04:17:01 debian /USR/SBIN/CRON[1559]: (root) CMD (   cd / &&
run-parts --report /etc/cron.hourly)
Mar 23 05:17:01 debian /USR/SBIN/CRON[1579]: (root) CMD (   cd / &&
run-parts --report /etc/cron.hourly)
Mar 23 06:17:01 debian /USR/SBIN/CRON[1599]: (root) CMD (   cd / &&
run-parts --report /etc/cron.hourly)
Mar 23 06:25:01 debian /USR/SBIN/CRON[1615]: (root) CMD (test -x
/usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Mar 23 07:17:01 debian /USR/SBIN/CRON[1635]: (root) CMD (   cd / &&
run-parts --report /etc/cron.hourly)

daemon.log:

Mar 23 03:56:38 debian acpid: client 31153[0:0] has disconnected
Mar 23 03:56:38 debian acpid: client 31153[0:0] has disconnected
Mar 23 03:56:38 debian acpid: client connected from 31153[0:0]
Mar 23 03:56:38 debian acpid: 1 client rule loaded
Mar 23 03:56:38 debian acpid: client connected from 31153[0:0]
Mar 23 03:56:38 debian acpid: 1 client rule loaded
Mar 23 03:56:39 debian kdm_greet[1539]: Cannot load
/usr/share/kde4/apps/kdm/faces/.default.face: No such file or
directory

Che altro posso guardare? Devo preoccuparmi?

Nel dubbio, stamattina ho spento il pc, e ora ho acceso e fatto
partire la partizione "vecchia" (di qualche settimana fa), ho cambiato
le password. Devo ancora aver paura?

Penso di reinstallare debian, provando il netinst squeeze [1]; posso
fidarmi a scaricarlo e masterizzarlo qui o dovrei farlo altrove?

[1] http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/amd64/iso-cd/


grazie

pietro

Reply to:

Prev by Date: Come funziona "Copy Image"?
Next by Date: Re: PC low cost
Previous by thread: Come funziona "Copy Image"?
Next by thread: aggiornamento xorg su sid e.........
Index(es):
- Date
- Thread