peter kostov wrote: > Martin Marques wrote: >> peter kostov wrote: >>> Hello, >>> >>> I was not reading my system logs regularly (that's bad!). Today I >>> noticed the following: >> >> Install logwatch. >> >> [snip] >>> >>> In the logs I found exactly the same results since one month ago. >>> >>> Does that mean I have been hacked and all those binaries are replaced? >>> The secure logs are full with unaccepted ssh connections. The only >>> successful connections for this period are from a known IP, but >>> unfortunately I have no older logs. >> >> Doesn't look like that. Any way, I didn't read in all your mail witch >> version of FC you were running, and if you have upgrades up2date. > I am running FC5 with yum enabled. >> >> I wouldn't worry so much. But get logwatch running right away. >> > > I have logwatch installed, but I didn't know about it. Thanks for > pointing it out! > > On the other machine in my local network there is one 'bad' binary > reported by rkhunter - wget. This second computer accesses the Internet > through the one we are discussing. > It is also running FC5 with yum, although the installation isn't exactly > the same. > > Peter > Two things: I don't get any 'bad' binaries when I run chkrootkit, so I would suspect problems when I see results like yours. You can also also use RPM to check the same files. For example, to check wget: $ type wget wget is hashed (/usr/bin/wget) $ rpm -qf /usr/bin/wget wget-1.10.2-8.fc6.1 $ rpm -V wget $ You can also use "rpm -Vv wget" if you want to see what RPM is doing, instead of it returning with no message if everything matches. I would run "rpm -V coreutils" on the system as a first step. If it reports files that do not match, I would back up your data, wipe, and re-install! (If it does not find anything, then ether it was a smart attacker, or you are safe...) Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
