Was I hacked?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

evilmrhenry

Thread Starter
Joined
Dec 14, 2001
Messages
105
Debain testing.

While web browsing, I noticed the hard drive was being accessed for no apperant reason. Running System Guard, I noticed that the 'find' command was running, with the login set to "nobody". I didn't have enough permissions to end the process as a regular user, but a console window, su, and kill command ended it. Shortly after killing the process, I noticed the 'ls' command was being run.

At this time, I disconnected the computer from the Internet, and looked at the log files. auth.log looks fine, but to get a second opinion:

Code:
Apr 17 12:10:28 box sshd[542]: Server listening on 0.0.0.0 port 22.
Apr 17 12:12:26 box kdm[825]: (pam_unix) session opened for user reg_user by (uid=0)
Apr 17 12:15:53 box su[1325]: + ??? root:nobody
Apr 17 12:15:53 box su[1325]: (pam_unix) session opened for user nobody by (uid=0)
Apr 17 12:17:01 box CRON[1398]: (pam_unix) session opened for user root by (uid=0)
Apr 17 12:17:01 box CRON[1398]: (pam_unix) session closed for user root
Apr 17 12:19:02 box su[1536]: (pam_unix) authentication failure; logname= uid=1000 euid=0 tty=pts/0 ruser=reg_user rhost=  user=root
Apr 17 12:19:05 box su[1536]: pam_authenticate: Authentication failure
Apr 17 12:19:05 box su[1536]: - pts/0 reg_user:root
Apr 17 12:19:08 box su[1542]: + pts/0 reg_user:root
Apr 17 12:19:08 box su[1542]: (pam_unix) session opened for user root by (uid=1000)
Apr 17 12:19:24 box su[1615]: + ??? root:mail
Apr 17 12:19:24 box su[1615]: (pam_unix) session opened for user mail by (uid=0)
Apr 17 12:20:01 box CRON[1817]: (pam_unix) session opened for user root by (uid=0)
Apr 17 12:20:01 box CRON[1817]: (pam_unix) session closed for user root
Apr 17 12:30:01 box CRON[2427]: (pam_unix) session opened for user root by (uid=0)
Apr 17 12:30:01 box CRON[2427]: (pam_unix) session closed for user root
Apr 17 12:31:52 box su[2551]: + pts/1 reg_user:root
Apr 17 12:31:52 box su[2551]: (pam_unix) session opened for user root by (uid=1000)
Apr 17 12:31:52 box su[2553]: + pts/1 reg_user:root
Apr 17 12:31:52 box su[2553]: (pam_unix) session opened for user root by (uid=1000)
Apr 17 12:40:01 box CRON[3123]: (pam_unix) session opened for user root by (uid=0)
Apr 17 12:40:01 box CRON[3123]: (pam_unix) session closed for user root
Now, how do I determine what caused the 'find' command to be run? I'm thinking now it was just a daemon, but a log file somewhere that shows it for sure would be helpful.

(And yes, I am going to change my passwords.)
 
Joined
Nov 15, 2002
Messages
1,964
Find is run as part of a script to update the locatedb daily by a cron job (locatedb is the database searched by the command locate (as if you couldnt guess). Locate is used to.... locate files (try it: Its very usefull...)

[edit] Oh, and it is run as nobody, because nobody is a very unpriviledged user.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top