On 08/16/2010 09:25 AM, JD wrote: > On 08/15/2010 08:46 PM, steve wrote: >> PS: Just incidentally, since this happened, I was wondering whether anyone could >> suggest a good document that introduces the basics of figuring out whether your >> system has been compromised and how to go about understanding how, if it has ? > Since ssh was involved, search > /var/log/messages* and > /var/log/secure* > > and find out who was able to log in via ssh and run > that process Thanks JD. Yes, my system was compromised :-/. I'm to blame, although my system was online with sshd running, the postgres user password was guessable ! Like I said, the box is unimportant so I don't mind recreating ...lesson learned. details: (from /var/log/secure-20100815) Aug 15 03:44:30 laptop sshd[21749]: Accepted password for postgres from 109.53.25.64 port 50196 ssh2 Aug 15 03:44:30 laptop sshd[21749]: pam_unix(sshd:session): session opened for user postgres by (uid=0) Aug 15 03:44:32 laptop sshd[21751]: subsystem request for sftp Aug 15 03:45:53 laptop sshd[21749]: pam_unix(sshd:session): session closed for user postgres [root@laptop pgsql]# ls -la /var/lib/pgsql/ ... -rw-r--r-- 1 postgres postgres 1895122 2010-08-06 04:45 W2Ksp3.exe drwxr-xr-x 4 postgres postgres 4096 2010-08-15 04:29 .x ... [root@laptop pgsql]# ls -l /var/lib/pgsql/.x/ ... [a bunch of perl scripts and some stripped static binaries] ... Also, as far as the /usr/lib/.libssl.so.*.hmac files are concerned, google tells me that these files contain the HMAC checksum of the openssl libraries. So, that was a false positive by chkrootkit. cheers, - steve -- random spiel: http://lonetwin.net/ what i'm stumbling into: http://lonetwin.stumbleupon.com/ -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
