[SATLUG] Possible attack

Don Davis dondavis at reglue.org
Thu Jan 24 11:32:02 CST 2013


Well, I don't know about experienced but the first place I'd look would
be - /var/log/auth.log

To check login attempts, logins, whatnot.


Do you have an ssh server enabled? Which port? Is root enabled?

Did you possibly push a button by accident or hit keyboard short cuts -
some alts or ctrls?

Were you on a home network? behind a firewall? wireless - wep? wpa?

Go ahead and boot with a live disk and then mount your drive readonly
and start doing some ls -art to see what the last files accessed were.




On 01/24/2013 11:06 AM, hc at lookcee.com wrote:
> 
> 
> 
> 
> 
> 
> hey  gang I think I may have gotten hacked at yesterday. I was in chat session  with my niece in FL & suddenly my screen had file mgr windows  opening closing I saw they all were partition Labels on the USB-BU drive and  I looked at the drive. The bright blue light was lit full blast so i hit off sw  total elapsed time was bout 5sec. led was bright blue maybe sec & half. I  have not turned dr back on yet. Mint-13 Mate 12.06
> 
> 1.  I want to look at the logs to see if what happened was recorded. I have 25logs that I know of.
> 
> 2. I know it wasn't me that opened that HD. sdb1, sdb3 & sdb5 were all three accessed.
> 
> 3. Time was 12:55:16 at end minus few secs. The time slot of 12:54:00 to 12:55:15.
> 
> So what log(s) show disk read/write? What do I look for/under. Suggestions of what you experienced ones would do. 
> 
> I  confess in my 6yrs with the bird I have always wondered about using the logs. I would like to know what I can learn in this instance. I am not sure I was even hacked but I would like to know.
> Thanks herb


More information about the SATLUG mailing list