[TriLUG] Suspicious behavior: have I been hacked?

Mike Johnson mike at enoch.org
Sun Feb 23 23:35:21 EST 2003


Andrew Perrin [clists at perrin.socsci.unc.edu] wrote:
> I came upstairs after a weekend mostly away from my computer to find it in
> a nearly-hung state. Load (by top) was >10, and there were numerous
> /USR/SBIN/CRON entries which, from the logs, look like they were trying to
> run exim sessions:
> 
> Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD (  if [ -x
> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
> Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD (  if [ -x
> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)

Looks like a cron job of some sort.  Have you checked cron jobs for the
user joehill?  My guess is there's something scheduled to run every
twenty five minutes.  Or, something that runs every five, but some of
the processes hung.
 
> (etc., etc.)

How many were running?  What did top say in terms of what was using the
most CPU?
 
> The other thing in the ps listing were several (three I think) instances
> of:
> 
> modprobe -s -k -- net-pf-10

This is something trying to run IPv6.  See:
http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/x1877.html

It's the IPv6 module.  Could be any number of applications.  Do you have
OpenLDAP, or maybe exim is trying IPv6?
 
> I do not have such a module, either loaded or available on the disk.

Because you don't have the IPv6 modules.  Yet, something you have
installed was compiled with IPv6 support.
 
> What's particularly worrisome is that this machine is behind another
> machine running NAT, so it has only a private (192.168.0.x) address. The
> NAT machine has nothing particularly suspicious about it. last commands on
> both machine show only me logging in.
> 
> I would be a happier person if someone could provide a non-suspicious
> explanation for this.

How'd I do?  :)

I know people gave you a lot of pointers on tools 'n such to check out,
and if you're worried, you might carry on.  However, I think there's
something far simpler going on (it really doesn't sound like your system
has been compromised).  Unfortunately, you may have lost any chance to 
figure it out.  Then again, joehill's crontab should still be there.

Mike
-- 
"If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH 
 YOUR LASER CANNONS!" -- Brak

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030223/22385d0a/attachment.pgp>


More information about the TriLUG mailing list