Page 1 of 1

Security incident?

Posted: Mon Feb 27, 2012 11:18 am
by maudib
Hi
I was looking through the email that my Linux Mint 12 sends to the root account and this email was found, under the subject name of ***SECURITY information for myhost***

Code: Select all

myhost : Feb 25 09:30:15 : user : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/user ; USER=root ;
+COMMAND=/usr/lib/linuxmint/mintUpdate/mintUpdate.py show
I don't really know what to make of it. The are many other such emails that are the same except they refer to different commands. Does it indicate that i've been compromised?
Thank you for any replies

Re: Security incident?

Posted: Mon Feb 27, 2012 11:32 am
by hellfire695
Unless you entered the commands then yes YOU HAVE. got that machine running chkrootkit and offline. run chkrootkit (paramoid is good) then back up and reinstall.

Re: Security incident?

Posted: Mon Feb 27, 2012 2:23 pm
by johnkarma
Looks like you typed your password incorrectly three times when doning an update.

Re: Security incident?

Posted: Mon Feb 27, 2012 2:28 pm
by maudib
rkhunter and chkroot kit indicate that there are no rootkits. Tripwire indicates some suspicious stuff. These are:
1)strings has a different md5
2)last has a different md5
3)unix_chkpwd has a different md5
4)unix_update has a different md5
5)/root/.bash_history was created today
6)ifup and ifdown have a different md5
Do you think that i've really been compromised?. I can't determine how they got in(i have no open ports on my router or on my mint box). Netfilter was also blocking all incoming connections. It seems to either be a very sophisticated attack or an attack from another host on the LAN.How do i determine how they got in?How do i determine which host(on my LAN or on the Internet) got in?
thank you for replies

[SOLVED]Re: Security incident?

Posted: Mon Feb 27, 2012 7:39 pm
by maudib
What an idoit i've been. This message gets emailed to me every time i launch update-manager or synaptic and then change my mind and press cancel, instead of authenticating. Very Very sorry to waste your time!

Re: [SOLVED]Re: Security incident?

Posted: Tue Feb 28, 2012 9:22 am
by hellfire695
maudib wrote:What an idoit i've been. This message gets emailed to me every time i launch update-manager or synaptic and then change my mind and press cancel, instead of authenticating. Very Very sorry to waste your time!
hahaha no worries happens to the best of us