[Chester LUG] worried - hacked?
Bryn Salisbury
bryn.salisbury at gmail.com
Wed May 21 14:05:28 UTC 2008
Paul,
> messages:
>
> May 21 05:50:28 imajica-desktop syslogd 1.5.0#1ubuntu1: restart.
> May 21 06:09:53 imajica-desktop -- MARK --
> May 21 06:29:53 imajica-desktop -- MARK --
> May 21 06:49:53 imajica-desktop -- MARK --
> May 21 07:09:53 imajica-desktop -- MARK --
> May 21 07:29:53 imajica-desktop -- MARK --
> May 21 07:49:53 imajica-desktop -- MARK --
>
> Who is MARK? Not my login?
This is a syslogd logs a mark timestamp regularly into messages (every
20min), this would be expected behaviour and shouldn't cause alarm.
> the others had the following:
>
> auth.log
>
> May 21 06:17:01 imajica-desktop CRON[7228]: PAM unable to
> dlopen(/lib/security/pam_smbpass.so)
<SNIP>
The other logs just look like standard OS housekeeping, nothing
appears to be out of the ordinary. I'd have expected to see more
remote login attempts if someone had attacked it externally.
>
> Am I still safe or has something dodgy happened? Who is Mark?
>
For now? quite probably. As for who Mark is, see above.
"All other things being equal, the simplest solution is the best".
External attackers will most of the time try to make sure the machine
stays up and looks as normal as possible to avoid giving the game
away. It's more likely in this case to be a local factor (power, freak
update or someone else with access logging you off).
Stay on top of your updates, minimize the services you're presenting
to the outside world and power the machine off when it's not in use.
That and keep an eye on your logs.
HTH
B
More information about the Chester
mailing list