Re: Have I been hacked?

To: debian-security@lists.debian.org
Subject: Re: Have I been hacked?
From: Sebastian Hoehn <shoehn@web.de>
Date: Thu, 08 May 2003 10:49:49 +0200
Message-id: <3EBA1A2D.8090103@web.de>
References: <20030507175015$5a5a@gated-at.bofh.it>

Hi,

you get this message when you use different names for a machine, forexample the ip and the machine's name. One of them is saved inknown_hosts, the other one causes this message!


Sebastian

Ian Goodall wrote:

Thanks everyone for your help.

It must be his computer as all the computers I usually log in from are allfine. I am still quite new to all of this but we all have to start somewhere:)


Cheers,

ijg0

===== Original Message From "Hobbs, Richard" <hobbs@mongeese.co.uk> =====
Hello,

The SSH error is usually caused by the SSH server (your machine) being
reformatted, or having SSH uninstalled and reinstalled, or have the
public/private keys regenerated for some reason. have you recently made any
changes to SSH, or reinstalled your system??

It could also happen if he has been making changes to his


"~/.ssh/known_hosts" file.

HTH...

Richard.


Quoting Ian Goodall <ijg@iangoodall.co.uk>:

Thanks for your help Guys.

It now says this:

wtmp begins Wed May  7 13:21:47 2003


I think that is what had happened. I am new to this and this just looked
dodgy to me!

A friend also has ssh shell access to the box and got the following error
message when connecting to the same my box:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d.

Please contact your system administrator.

I don't get this from any other computers so is this just his computer?

Thanks

----- Original Message -----
From: "Eric LeBlanc" <inouk@igt.net>
To: "Ian Goodall" <ijg@iangoodall.co.uk>
Cc: <debian-security@lists.debian.org>
Sent: Wednesday, May 07, 2003 3:23 PM
Subject: Re: Have I been hacked?

Check if your program have rotated the logs...

cd /var/log

ls -l wtmp*

and, check in /etc/cron* or do a crontab -l (in user root)


E.
--
Eric LeBlanc
inouk@igt.net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================

On Wed, 7 May 2003, Ian Goodall wrote:

I am running a debian woody server and when I checked the last users
yesterday I a large number of logins in the list. On running the

command

today I get the following:

dev1:/home/ian# last
ian      pts/0        172.16.3.195     Wed May  7 14:49   still logged
in
team1 pts/0 blue99.ex.ac.uk Wed May 7 13:21 - 13:57

(00:35)

I have run chkrootkit but nothing was found.

I have never had this before. Am I being paranoid or is someone trying

to

cover up their tracks?

Thanks

ijg0



--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

listmaster@lists.debian.org


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org



--
Richard Hobbs
hobbs@mongeese.co.uk
http://mongeese.co.uk | http://unixforum.co.uk

"There's only one way of life, and that's your own" - The Levellers

_____________________________________________________
Send all your jokes to jokes@fishsponge.co.uk !!
To subscribe, email: jokes-subscribe@fishsponge.co.uk



----------------------
Ian Goodall
www.iangoodall.co.uk

Reply to:

Prev by Date: Source MAC Address DoS
Next by Date: RE: Apt-get only security patches
Previous by thread: Re: Have I been hacked?
Next by thread: Source MAC Address DoS
Index(es):
- Date
- Thread