[Wolves] help - think I've been hacked

Jayne Heger wolves at mailman.lug.org.uk
Thu Jul 17 11:04:00 2003


>    what makes you think you have been hacked ? 
>This would give a good place to start looking.
>
>  
>
well, last night when I was looking at my logs, i.e. I press f10 I got 
all this
I have copied and pasted the bits I think are relevant
Recently I had been having problems with my Smoothwall box (hardware 
issue) so temporarily disconnected that and instead have been runninng 
an iptables based SuSE's own firewall on my workstation. I do intend to 
fix my Smoothie box and install a Debian server/firewall on it.
I know if I have been hacked I'll have to re-format and install 
everything from scratch on my workstation.

I am a paranoid person BTW and do get easily spooked. ;)

Jul 17 03:59:00 tabby /USR/SBIN/CRON[29392]: (root) CMD ( rm -f 
/var/spool/cron/lastrun/cron.hourly)
Jul 17 03:59:00 tabby kernel: uhci.c: e800: host controller halted. very bad
Jul 17 03:59:31 tabby last message repeated 2299 times
Jul 17 04:00:32 tabby last message repeated 4576 times etc...... (my 
logs are full of last message repeated so many times)

Jul 17 09:10:56 tabby ip-up: Warning: detected activated samba, enabling 
FW_SERVICE_SMB!
Jul 17 09:10:56 tabby ip-up: You still have to allow tcp port 139 on 
internal, dmz and/or external.
Jul 17 09:10:56 tabby kernel: uhci.c: e800: host controller halted. very bad

Jul 17 09:29:54 tabby kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= 
SRC=217.56.254.131 DST=217.158.156.143 LEN=48 TOS=0x00 PREC=0x00 TTL=120 
ID=29683 DF PROTO=TCP SPT=1205 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 
OPT (020405B401010402)
Jul 17 09:29:54 tabby kernel: uhci.c: e800: host controller halted. very bad
Jul 17 09:29:54 tabby last message repeated 23 times
Jul 17 10:47:29 tabby kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=ppp0 OUT= 
MAC= SRC=195.8.69.184 DST=217.158.156.151 LEN=60 TOS=0x00 PREC=0x00 
TTL=62 ID=29479 PROTO=TCP SPT=110 DPT=1900 WINDOW=57344 RES=0x00 ACK SYN 
URGP=0 OPT (020405B4010303000101080A7E035B7A016367E8)
Jul 17 10:47:29 tabby kernel: uhci.c: e800: host controller halted. very bad
Jul 17 10:47:30 tabby last message repeated 104 times
Jul 17 10:47:30 tabby SuSEfirewall2: Firewall rules successfully set 
from /etc/sysconfig/SuSEfirewall2
Jul 17 10:47:31 tabby kernel: uhci.c: e800: host controller halted. very bad
Jul 17 10:47:31 tabby last message repeated 5 times

thanks

Jayne