Re: Securing my Linux-pc? Worried....hacked?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/06/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 6 May 2002 07:19:40 +0000 (UTC)


< Borge Haga

Your original post: 3 May 2002 22:37:15 GMT
Your local time: 3 May 2002 20:37:15 +0200
You said: about one hour ago
Your noticed time: 3 May 2002 19:3?:?? +0200

>May 2 17:26:46 localhost sshd[776]: Received signal 15; terminating.
>May 2 17:30:52 dhcppc3 sshd[824]: Server listening on 0.0.0.0 port 22.

Have you changed host name 'localhost' to 'dhcppc3' at between May 2
17:26:46 and May 2 17:30:52? Do you remember? `cat /etc/HOSTNAME` and
`cat /etc/hosts`.

>Date: Sat, 4 May 2002 18:43:31 +0200
>rejecting connections on daemon MTA: load average: 14
>accepting connections again for daemon MTA

How about to try the following command. `grep -ni 'relay' /var/log/m*`

>(I tried out sending one email from the Linux box so that one entry
>is made by me):
>Date: Sat, 4 May 2002 18:56:04 +0200
>Final-Recipient: RFC822; atonline@online.no
>Status: 5.5.2
>Diagnostic-Code: SMTP; 501 <root@dhcppc3>... Sender domain must exist

I wonder why you send mail to <atonline@online.no>.

According to only this Logwatch in mbox, I could not find the signature
of compromise. How about to download/compile/run `chkrootkit`.

http://www.chkrootkit.org/

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7