How to understand if i have been hacked and being monitored?!?!

Hi,

i have this thought that my machine might have been compromised.

can you guys help me to make a check list of things to do to see if i can figure out if my machine is or not compromised please!

open terminal, type

w
or
who

This gives you a list of users on the computer.

chkrootkit is the first thing I would run.

chkrootkit – locally checks for signs of a rootkit

I had an attack on one of my servers many years ago, and this found it quickly for me.

Good luck.

phantom74 wrote:

> i have this thought that my machine might have been compromised.

why do you think that?

does anyone else have the ability to touch/use your machine without
you present?

when you say “my machine” what do you mean by that?

what operating system and version are you running?

and, is it fully patched with all security updates?

are you running a firewall?
have you tweaked that firewall any?

are you behind a router and wired to it?
or, are you using wifi?

if using wifi are you using a strong cypher to protect?

is your password and root’s password the same? are both passwords
“strong”? <http://en.wikipedia.org/wiki/Password_strength>

> can you guys help me to make a check list of things to do to see if i
> can figure out if my machine is or not compromised please!

if you took no precautions to harden your system past the default
install, and depending on how you answer the few questions above it is
from fairly difficult to completely impossible to craft an
after-the-crack checklist that will either correctly put your mind at
ease or give you a false sense of security that your machine has
not been compromised…

that said, i see you have been a member of this forum for just over a
month…and wonder how many years of *nix or other system experience
you have…


DenverD
When it comes to chocolate, resistance is futile.
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

In light of what DenverD had to say, after I did find a rootkit on my system, the only fix was to format the drives, and reinstall everything. Make sure you have backups from before the rootkit was installed.

A simple one, for simple-hacked systems: check your /tmp for executable files…(green ones)

In general, prevention is worth a pound of cure (backups, apply security templates, harden with layered defenses and patch updating).

If you’re wondering after the fact, I’m afraid there is no simple checklist or recommendation that’s worth anything, you should always consider any machine that can receive input as hackable and exposure vectors directly related to what the machine accepts, eg keyboard, internet data packets, email, DVDs, more. You can monitor live and view logged data for clues but unless you’re looking for something specific it’s generally difficult and costly to really do much good. A shotgun approach to monitoring everything can also be so resource intensive as to drive your machine to its knees.

Since it’s impossible to really know with absolute certainty you’ve been hacked, you can still take a pragmatic approach to decreasing your exposure by understanding what you do with your machine, removing any unnecessary functionality and applying recommended measures. If you understand what you’re looking at or are willing to pay for services or apps you can also view logs and run various utilities like netstat to know what you’re connecting to.

Tony

+1²

I hacked machine will not deliver reliable logfiles, monitor outputs or the like. It is not (reliably) possible to analyse it, nor can it be “cleaned”.

So how would you then find out that it has been hacked, by that description there is no way? Forensic normaly is done though logs no?

For example by viewing the network packages entering and leaving the system (by using an external system). A proper rootkit knows quite well how to hide its trails.

You cannot trust log files on a hacked machine. Reasons are that the log files are not recording the output of the “xxxx” daemon. Quite often the hacker will replace “vi”, and other programs, with his own copy, that hides text under normal conditions. There are many ways to hide things and the best hackers know how to do it.

I started learning how to hack after I got hacked in order to protect my systems. It isn’t easy to do, and it’s getting harder to do it well.

good evening everyone
thank you for your quick reply’s and im sorry for my late reply, its was a hard day at work.

the reason i open this topic is not because i was hacked, it is just a suspicion of mine because of couple of reasons.
this is my first try at opensuse (seams robust enough to me) and im still not quite familiar with it, secondly, i have been noticing some wired but little changes in my environment.

Im running a Toshiba satellite with opensuse 11.3_x64

yesterday i had my wallpaper changed at log on without me changing it, another wired thing happen was that i suddenly saw a very high load of the disk without my interference. something was running in the background consuming 80% of the disk load. this was not hard to find out, it was the indexing of mount points going on, what i found strange was that it was the first time it ran without my interference and although it may be configured to run when specific amount of data is added to the disk, i did not configured any cron jobs nor anything, so i to found it suspicious.

has stated back in the 1st page, hacking has evolve very much and fast these days, root kits are major concerns and the ability to hide processes/tasks, scripts, and sending information without one’s able to know or see, it kinda makes me nervous. so what i was trying to get help with, is to gather a check list of tasks to do to check if there is any possibility that the machine has or could be compromised and maybe we could all gather the info and round it up into a script and stick it in the forum.

to me security is one hell of a concern, i have nothing to hide but i dont like the fact that i might be under surveillance or under control.
would ask you guys to put your heads together so we can make a serious checklist.

gonna go get a tea, brb…

By what you say:
you are using kde4.3 or similar, installed recently.
The changing wallpapers (even wallpapers vanishing) is a bug in the kde version delivered originally with 4.3 of the 64 bit version. I had this myself. Upgrade to 4.5 (following the howto’s on this site) does free you of this.
System load will be high especially at the beginning because KDE4 comes with a semnatic desktop that (strigi) that runs a file indexing while the machine is recent. You may set it to off, google for “deactivate strighi opensuse” or search in the search function of this site.
Else?

would ask you guys to put your heads together so we can make a serious checklist.

Again: there’s no such thing as a reliable checklist. Actually checking network packages via an external system is the only thing I can think of (there might be other ways, though).

I can not explain the changed wallpaper, but the disk activity is obviously provoked by the indexer (as you mentioned already). I wonder why you write “something” was running in the backround, because tool like ‘top’, ‘htop’ or ‘iotop’ will show you (on a clean machine) what processes are running. In seem to run a regular home desktop, to me it’s unlikely someone would take the effort to install a rootkit on that - besides, the default security settings of openSUSE have all network ports shut, so an attack via the net is pretty much impossible.

I suppose you run KDE4 as your desktop environment; KDE4 is using a file indexer named ‘strigi’ (with a frontend called ‘Akonadi’) which is enabled by default.

Edit: stakanov was quicker… :slight_smile:

:slight_smile: doing my very best to beat you Gropiuskralle :slight_smile:

no bro, not at all, im running a default gnome install suse 11.3 and i have chosen a wallpaper not the ones which are shiped with OS
the indexing actually it was the first time it ran like this, the first time it poped up an icon near the network connection manager which is obviously easy to see what s going on. not this time.

yes top will show you the processes running by the users, but in case of a rootkit…i wouldn’t be so sure.
the only ports i have opened is port 1974 for ssh with no password, configured with keys. and in my home enviroment i open the smb share but im behind an internal firewall and a router + susefirewall2 on this machine.

this thought of mine is also because i suspect my chief to be sniffing my traffic and trying to filter my content. have any idea on how would i make sure he is not doing this without him noticing?

On 2010-10-22 00:36, gropiuskalle wrote:

> Again: there’s no such thing as a reliable checklist. Actually checking
> network packages via an external system is the only thing I can think of
> (there might be other ways, though).

Boot a live in the same machine and examine files. Compare key files with signatures stored
externally, in advance.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

good morning,

ok, another wired thing happened, i just got at the office minuts ago, booted up loged in into gnome and suddenly 2 RDP client sessions windows poped up automaticaly to one of the win2k3 DC servers , and i mean as soon as i loged in here at the office. how is this possible? i dont understand this. this is the first time i see this happening! could it be the rdp sessions that i left open and shutdown without closing them and suse auto assumes those connections where lost accidentaly and reconnects them? does not make sense to me anyway.

here is the output of top:

Tasks: 194 total, 4 running, 190 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.1%us, 0.9%sy, 0.0%ni, 98.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 3918088k total, 899372k used, 3018716k free, 41796k buffers
Swap: 2109436k total, 0k used, 2109436k free, 549524k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1687 root 20 0 125m 19m 8104 S 4 0.5 0:19.12 Xorg
3380 nuno 20 0 250m 15m 11m R 2 0.4 0:00.48 gnome-terminal
3111 nuno 20 0 191m 10m 8148 S 1 0.3 0:07.66 multiload-apple
3097 nuno 20 0 180m 25m 5076 S 1 0.7 0:05.07 compiz
3098 nuno 20 0 373m 21m 15m S 0 0.6 0:01.16 gnome-panel
3225 nuno 20 0 705m 83m 32m S 0 2.2 0:28.66 firefox
6785 nuno 20 0 8668 1172 788 R 0 0.0 0:00.05 top
1 root 20 0 12408 776 628 S 0 0.0 0:00.90 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0
4 root 20 0 0 0 0 S 0 0.0 0:00.16 ksoftirqd/0
5 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/0
6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1
7 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
8 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/1
9 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2
10 root 20 0 0 0 0 S 0 0.0 0:00.04 ksoftirqd/2
11 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/2
12 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3
13 root 20 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/3
14 root RT 0 0 0 0 S 0 0.0 0:00.00 watchdog/3
15 root 20 0 0 0 0 S 0 0.0 0:00.05 events/0
16 root 20 0 0 0 0 S 0 0.0 0:00.03 events/1
17 root 20 0 0 0 0 S 0 0.0 0:00.05 events/2
18 root 20 0 0 0 0 R 0 0.0 0:00.04 events/3
19 root 20 0 0 0 0 S 0 0.0 0:00.00 netns
20 root 20 0 0 0 0 S 0 0.0 0:00.00 async/mgr
21 root 20 0 0 0 0 S 0 0.0 0:00.00 pm
22 root 20 0 0 0 0 S 0 0.0 0:00.00 sync_supers
23 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
24 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/0
25 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/1
26 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/2
27 root 20 0 0 0 0 S 0 0.0 0:00.00 kintegrityd/3
28 root 20 0 0 0 0 S 0 0.0 0:00.00 kblockd/0
29 root 20 0 0 0 0 S 0 0.0 0:00.00 kblockd/1
30 root 20 0 0 0 0 S 0 0.0 0:00.00 kblockd/2

linux-l0y2:~ # netstat --inet eth0 -ntulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1879/rpcbind
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2360/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2422/master
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2318/avahi-daemon:
udp 0 0 0.0.0.0:68 0.0.0.0:* 2178/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 1879/rpcbind
udp 0 0 0.0.0.0:35196 0.0.0.0:* 2318/avahi-daemon:
udp 0 0 0.0.0.0:631 0.0.0.0:* 2360/cupsd
udp 0 0 0.0.0.0:740 0.0.0.0:* 1879/rpcbind

linux-l0y2:~ # w
10:30:13 up 14 min, 2 users, load average: 0.01, 0.09, 0.08
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
nuno :0 10:16 ?xdm? 1:07 0.02s /usr/lib/gdm/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1
nuno pts/0 10:17 0.00s 0.09s 1.01s gnome-terminal
linux-l0y2:~ # tty
/dev/pts/0

could someone help me understand how did the rdp sessions initiated automaticaly?

by the way, i have noticed that im not having suse updates for a long time now, for 2 weeks now and i continue to have a key error regarding packman repo.
here are my repos:

[Packman]
name=Packman repository (openSUSE_11.3)
enabled=1
autorefresh=1
baseurl=http://packman.inode.at/suse/11.3
type=rpm-md
gpgcheck=1
gpgkey=http://packman.inode.at/suse/11.3/repodata/repomd.xml.key
keeppackages=1

[openSUSE-11.3 11.3-1.82]
name=openSUSE-11.3 11.3-1.82
enabled=1
autorefresh=0
baseurl=cd:///?devices=/dev/sr0
path=/
type=yast2
keeppackages=0

[repo-non-oss]
name=openSUSE-11.3-Non-Oss
enabled=1
autorefresh=1
baseurl=http://download.opensuse.org/distribution/11.3/repo/non-oss/
path=/
type=yast2
keeppackages=0

[repo-oss]
name=openSUSE-11.3-Oss
enabled=1
autorefresh=1
baseurl=http://download.opensuse.org/distribution/11.3/repo/oss/
path=/
type=yast2
keeppackages=0

[repo-source]
name=openSUSE-11.3-Source
enabled=0
autorefresh=1
baseurl=http://download.opensuse.org/source/distribution/11.3/repo/oss/
path=/
type=yast2
keeppackages=0

no updates even security updates for 2 weeks now, what is wrong here?

stakanov wrote:
> System load will be high especially at the beginning because KDE4 comes
> with a semnatic desktop

additionally, openSUSE comes with (or did, maybe it has changed) daily
cron set to run somewhere around midnight to 2 AM (local time, i don’t
remember the exact time which is default)…but, if the machine is
not running during that block time won’t get done…

and then, the next time the machine is booted it will automatically
detect that the daily cron has not yet run today (since midnight)
and it will auto-run around 15 to 30 minutes after the minute the
machine boots…

i can recommend you reset the default daily cron run time for a time
during your day when the machine is usually running and not being
heavily used by you…mine is set to run during my lunch time…


DenverD
When it comes to chocolate, resistance is futile.
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]