Security incident?

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
maudib
Level 1
Level 1
Posts: 8
Joined: Mon Jan 23, 2012 1:09 am

Security incident?

Post by maudib » Mon Feb 27, 2012 11:18 am

Hi
I was looking through the email that my Linux Mint 12 sends to the root account and this email was found, under the subject name of ***SECURITY information for myhost***

Code: Select all

myhost : Feb 25 09:30:15 : user : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/user ; USER=root ;
+COMMAND=/usr/lib/linuxmint/mintUpdate/mintUpdate.py show
I don't really know what to make of it. The are many other such emails that are the same except they refer to different commands. Does it indicate that i've been compromised?
Thank you for any replies

User avatar
hellfire695
Level 3
Level 3
Posts: 125
Joined: Thu Jan 19, 2012 4:25 pm

Re: Security incident?

Post by hellfire695 » Mon Feb 27, 2012 11:32 am

Unless you entered the commands then yes YOU HAVE. got that machine running chkrootkit and offline. run chkrootkit (paramoid is good) then back up and reinstall.

johnkarma
Level 1
Level 1
Posts: 2
Joined: Mon Feb 27, 2012 1:44 pm

Re: Security incident?

Post by johnkarma » Mon Feb 27, 2012 2:23 pm

Looks like you typed your password incorrectly three times when doning an update.

maudib
Level 1
Level 1
Posts: 8
Joined: Mon Jan 23, 2012 1:09 am

Re: Security incident?

Post by maudib » Mon Feb 27, 2012 2:28 pm

rkhunter and chkroot kit indicate that there are no rootkits. Tripwire indicates some suspicious stuff. These are:
1)strings has a different md5
2)last has a different md5
3)unix_chkpwd has a different md5
4)unix_update has a different md5
5)/root/.bash_history was created today
6)ifup and ifdown have a different md5
Do you think that i've really been compromised?. I can't determine how they got in(i have no open ports on my router or on my mint box). Netfilter was also blocking all incoming connections. It seems to either be a very sophisticated attack or an attack from another host on the LAN.How do i determine how they got in?How do i determine which host(on my LAN or on the Internet) got in?
thank you for replies

maudib
Level 1
Level 1
Posts: 8
Joined: Mon Jan 23, 2012 1:09 am

[SOLVED]Re: Security incident?

Post by maudib » Mon Feb 27, 2012 7:39 pm

What an idoit i've been. This message gets emailed to me every time i launch update-manager or synaptic and then change my mind and press cancel, instead of authenticating. Very Very sorry to waste your time!

User avatar
hellfire695
Level 3
Level 3
Posts: 125
Joined: Thu Jan 19, 2012 4:25 pm

Re: [SOLVED]Re: Security incident?

Post by hellfire695 » Tue Feb 28, 2012 9:22 am

maudib wrote:What an idoit i've been. This message gets emailed to me every time i launch update-manager or synaptic and then change my mind and press cancel, instead of authenticating. Very Very sorry to waste your time!
hahaha no worries happens to the best of us

Post Reply

Return to “Other networking topics”