Re: am I hacked?
On Sun, 31 Oct 2004 16:59:12 +0100, Arthur de Jong wrote:
> On Sun, 2004-10-31 at 17:16 +0200, Haim Ashkenazi wrote:
>> for a few days now I see in the logs of my firewall (debian/stable)
>> entries about someone trying to connect to my SSH server with several
>> users (root, test, mysql, etc..) without success. today I saw an entry
>> which alarmed me:
>> Oct 31 14:37:17 coltrane sshd: Bad protocol version identification 'GNUTELLA CONNECT/0.6' from 192.168.0.5
> This is probably what you would see if someone advertised a gnutella
> host with ip 192.168.0.1 (or whatever your server's ip is) and port 22.
> Noting to worry about.
>> running chkrootkit (0.43) I got this surprise (the short version):
>> parker:~/src/rkhunter# chkrootkit lkm
>> ROOTDIR is `/'
>> Checking `lkm'... You have 36 process hidden for readdir command
>> You have 36 process hidden for ps command
>> Warning: Possible LKM Trojan installed
> chkrootkit is know to sometimes produce false positives but these
> generally don't show up on repeated calls. There was a problem once with
> an incompatible libc or somesuch that could explain this (maybe see
thanx, I was only concern about the log in my server and what you
suggested seems to be the answer. I'm aware of chkrootkit's false positive
errors, (although I'm used to get them on FreeBSD).