1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Was I hacked?

Discussion in 'Linux and Unix' started by evilmrhenry, Apr 17, 2004.

Thread Status:
Not open for further replies.
  1. evilmrhenry

    evilmrhenry Thread Starter

    Joined:
    Dec 14, 2001
    Messages:
    105
    Debain testing.

    While web browsing, I noticed the hard drive was being accessed for no apperant reason. Running System Guard, I noticed that the 'find' command was running, with the login set to "nobody". I didn't have enough permissions to end the process as a regular user, but a console window, su, and kill command ended it. Shortly after killing the process, I noticed the 'ls' command was being run.

    At this time, I disconnected the computer from the Internet, and looked at the log files. auth.log looks fine, but to get a second opinion:

    Code:
    Apr 17 12:10:28 box sshd[542]: Server listening on 0.0.0.0 port 22.
    Apr 17 12:12:26 box kdm[825]: (pam_unix) session opened for user reg_user by (uid=0)
    Apr 17 12:15:53 box su[1325]: + ??? root:nobody
    Apr 17 12:15:53 box su[1325]: (pam_unix) session opened for user nobody by (uid=0)
    Apr 17 12:17:01 box CRON[1398]: (pam_unix) session opened for user root by (uid=0)
    Apr 17 12:17:01 box CRON[1398]: (pam_unix) session closed for user root
    Apr 17 12:19:02 box su[1536]: (pam_unix) authentication failure; logname= uid=1000 euid=0 tty=pts/0 ruser=reg_user rhost=  user=root
    Apr 17 12:19:05 box su[1536]: pam_authenticate: Authentication failure
    Apr 17 12:19:05 box su[1536]: - pts/0 reg_user:root
    Apr 17 12:19:08 box su[1542]: + pts/0 reg_user:root
    Apr 17 12:19:08 box su[1542]: (pam_unix) session opened for user root by (uid=1000)
    Apr 17 12:19:24 box su[1615]: + ??? root:mail
    Apr 17 12:19:24 box su[1615]: (pam_unix) session opened for user mail by (uid=0)
    Apr 17 12:20:01 box CRON[1817]: (pam_unix) session opened for user root by (uid=0)
    Apr 17 12:20:01 box CRON[1817]: (pam_unix) session closed for user root
    Apr 17 12:30:01 box CRON[2427]: (pam_unix) session opened for user root by (uid=0)
    Apr 17 12:30:01 box CRON[2427]: (pam_unix) session closed for user root
    Apr 17 12:31:52 box su[2551]: + pts/1 reg_user:root
    Apr 17 12:31:52 box su[2551]: (pam_unix) session opened for user root by (uid=1000)
    Apr 17 12:31:52 box su[2553]: + pts/1 reg_user:root
    Apr 17 12:31:52 box su[2553]: (pam_unix) session opened for user root by (uid=1000)
    Apr 17 12:40:01 box CRON[3123]: (pam_unix) session opened for user root by (uid=0)
    Apr 17 12:40:01 box CRON[3123]: (pam_unix) session closed for user root
    Now, how do I determine what caused the 'find' command to be run? I'm thinking now it was just a daemon, but a log file somewhere that shows it for sure would be helpful.

    (And yes, I am going to change my passwords.)
     
  2. Whiteskin

    Whiteskin

    Joined:
    Nov 15, 2002
    Messages:
    1,964
    Find is run as part of a script to update the locatedb daily by a cron job (locatedb is the database searched by the command locate (as if you couldnt guess). Locate is used to.... locate files (try it: Its very usefull...)

    [edit] Oh, and it is run as nobody, because nobody is a very unpriviledged user.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221333

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice