Re: Have I been hacked?
Thanks for your help Guys.
It now says this:
> wtmp begins Wed May 7 13:21:47 2003
I think that is what had happened. I am new to this and this just looked
dodgy to me!
A friend also has ssh shell access to the box and got the following error
message when connecting to the same my box:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d.
Please contact your system administrator.
I don't get this from any other computers so is this just his computer?
Thanks
----- Original Message -----
From: "Eric LeBlanc" <inouk@igt.net>
To: "Ian Goodall" <ijg@iangoodall.co.uk>
Cc: <debian-security@lists.debian.org>
Sent: Wednesday, May 07, 2003 3:23 PM
Subject: Re: Have I been hacked?
>
> Check if your program have rotated the logs...
>
> cd /var/log
>
> ls -l wtmp*
>
> and, check in /etc/cron* or do a crontab -l (in user root)
>
>
> E.
> --
> Eric LeBlanc
> inouk@igt.net
> --------------------------------------------------
> UNIX is user friendly.
> It's just selective about who its friends are.
> ==================================================
>
> On Wed, 7 May 2003, Ian Goodall wrote:
>
> > I am running a debian woody server and when I checked the last users
> > yesterday I a large number of logins in the list. On running the command
> > today I get the following:
> >
> > dev1:/home/ian# last
> > ian pts/0 172.16.3.195 Wed May 7 14:49 still logged
in
> > team1 pts/0 blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35)
> >
> > I have run chkrootkit but nothing was found.
> >
> > I have never had this before. Am I being paranoid or is someone trying
to
> > cover up their tracks?
> >
> > Thanks
> >
> > ijg0
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> >
>
Reply to: