Re: Have I been hacked?

To: <debian-security@lists.debian.org>
Subject: Re: Have I been hacked?
From: "Ian Goodall" <ijg@iangoodall.co.uk>
Date: Wed, 7 May 2003 15:33:37 +0100
Message-id: <002001c314a5$abbb3d00$c30310ac@EVESHAM>
References: <Pine.LNX.4.44.0305071022170.29676-100000@toutatis.igt.net>

Thanks for your help Guys.

It now says this:

> wtmp begins Wed May  7 13:21:47 2003

I think that is what had happened. I am new to this and this just looked
dodgy to me!

A friend also has ssh shell access to the box and got the following error
message when connecting to the same my box:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d.

Please contact your system administrator.

I don't get this from any other computers so is this just his computer?

Thanks

----- Original Message ----- 
From: "Eric LeBlanc" <inouk@igt.net>
To: "Ian Goodall" <ijg@iangoodall.co.uk>
Cc: <debian-security@lists.debian.org>
Sent: Wednesday, May 07, 2003 3:23 PM
Subject: Re: Have I been hacked?


>
> Check if your program have rotated the logs...
>
> cd /var/log
>
> ls -l wtmp*
>
> and, check in /etc/cron* or do a crontab -l (in user root)
>
>
> E.
> --
> Eric LeBlanc
> inouk@igt.net
> --------------------------------------------------
> UNIX is user friendly.
> It's just selective about who its friends are.
> ==================================================
>
> On Wed, 7 May 2003, Ian Goodall wrote:
>
> > I am running a debian woody server and when I checked the last users
> > yesterday I a large number of logins in the list. On running the command
> > today I get the following:
> >
> > dev1:/home/ian# last
> > ian      pts/0        172.16.3.195     Wed May  7 14:49   still logged
in
> > team1    pts/0        blue99.ex.ac.uk  Wed May  7 13:21 - 13:57  (00:35)
> >
> > I have run chkrootkit but nothing was found.
> >
> > I have never had this before. Am I being paranoid or is someone trying
to
> > cover up their tracks?
> >
> > Thanks
> >
> > ijg0
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> >
>

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: "Hobbs, Richard" <hobbs@mongeese.co.uk>
- Re: Have I been hacked?
  - From: "Janus N." Tøndering <janus@bananus.dk>

References:
- Re: Have I been hacked?
  - From: Eric LeBlanc <inouk@igt.net>

Prev by Date: Re: Have I been hacked?
Next by Date: Re: Have I been hacked?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread