[SATLUG] Possible attack
dondavis at reglue.org
Thu Jan 24 11:32:02 CST 2013
Well, I don't know about experienced but the first place I'd look would
be - /var/log/auth.log
To check login attempts, logins, whatnot.
Do you have an ssh server enabled? Which port? Is root enabled?
Did you possibly push a button by accident or hit keyboard short cuts -
some alts or ctrls?
Were you on a home network? behind a firewall? wireless - wep? wpa?
Go ahead and boot with a live disk and then mount your drive readonly
and start doing some ls -art to see what the last files accessed were.
On 01/24/2013 11:06 AM, hc at lookcee.com wrote:
> hey gang I think I may have gotten hacked at yesterday. I was in chat session with my niece in FL & suddenly my screen had file mgr windows opening closing I saw they all were partition Labels on the USB-BU drive and I looked at the drive. The bright blue light was lit full blast so i hit off sw total elapsed time was bout 5sec. led was bright blue maybe sec & half. I have not turned dr back on yet. Mint-13 Mate 12.06
> 1. I want to look at the logs to see if what happened was recorded. I have 25logs that I know of.
> 2. I know it wasn't me that opened that HD. sdb1, sdb3 & sdb5 were all three accessed.
> 3. Time was 12:55:16 at end minus few secs. The time slot of 12:54:00 to 12:55:15.
> So what log(s) show disk read/write? What do I look for/under. Suggestions of what you experienced ones would do.
> I confess in my 6yrs with the bird I have always wondered about using the logs. I would like to know what I can learn in this instance. I am not sure I was even hacked but I would like to know.
> Thanks herb
More information about the SATLUG