[TriLUG] Suspicious behavior: have I been hacked?
Andrew Perrin
clists at perrin.socsci.unc.edu
Sun Feb 23 21:48:16 EST 2003
I came upstairs after a weekend mostly away from my computer to find it in
a nearly-hung state. Load (by top) was >10, and there were numerous
/USR/SBIN/CRON entries which, from the logs, look like they were trying to
run exim sessions:
Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
(etc., etc.)
The other thing in the ps listing were several (three I think) instances
of:
modprobe -s -k -- net-pf-10
I do not have such a module, either loaded or available on the disk.
What's particularly worrisome is that this machine is behind another
machine running NAT, so it has only a private (192.168.0.x) address. The
NAT machine has nothing particularly suspicious about it. last commands on
both machine show only me logging in.
I would be a happier person if someone could provide a non-suspicious
explanation for this.
Thanks.
----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
More information about the TriLUG
mailing list