[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: am I hacked?

On Sun, 2004-10-31 at 17:16 +0200, Haim Ashkenazi wrote:
> for a few days now I see in the logs of my firewall (debian/stable)
> entries about someone trying to connect to my SSH server with several
> users (root, test, mysql, etc..) without success. today I saw an entry
> which alarmed me:
> Oct 31 14:37:17 coltrane sshd[17927]: Bad protocol version identification 'GNUTELLA CONNECT/0.6' from

This is probably what you would see if someone advertised a gnutella
host with ip (or whatever your server's ip is) and port 22.
Noting to worry about.

> running chkrootkit (0.43) I got this surprise (the short version):
> parker:~/src/rkhunter# chkrootkit  lkm
> ROOTDIR is `/'
> Checking `lkm'... You have    36 process hidden for readdir command
> You have    36 process hidden for ps command
> Warning: Possible LKM Trojan installed

chkrootkit is know to sometimes produce false positives but these
generally don't show up on repeated calls. There was a problem once with
an incompatible libc or somesuch that could explain this (maybe see

-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: