Dustpuppy Posted April 26, 2004 Report Share Posted April 26, 2004 Hi, I've been running 9.2 for the past month or so on a large college network, and I've just realised that I did something VERY stupid when I set the thing up: I thought on the firewall you checked the boxes for services you wanted to be able to use, rather than what you want other people to have access to! So I've had web server, domain name server and ftp enabled. I've now _dis_ enabled them (no boxes checked under drakfirewall), but is there any way of checking my system hasn't been hacked? A couple of things worry me: 1) my net connection is slower than it ought to be 2) I'm getting lots of martians in /var/log/messages 3) I've just found an entry in the system logs "forbidding remote root login" Should I be worried? I am, as you can tell, a complete n00b! Link to comment Share on other sites More sharing options...
bvc Posted April 26, 2004 Report Share Posted April 26, 2004 the logs basically. What log said "forbidding remote root login"? As a user you can open a terminal>su to root> and do tail -f /var/log/messages and monitor in realtime B) Link to comment Share on other sites More sharing options...
Dustpuppy Posted April 27, 2004 Author Report Share Posted April 27, 2004 It was in /var/log/messages. I'm also worried because gconfd (which I can't find out about) keeps on starting with no intervention from me: eg gconfd (root-xxxx) starting (version 2.4.0.1) PID xxxx user "root" eek! Link to comment Share on other sites More sharing options...
Michel Posted April 27, 2004 Report Share Posted April 27, 2004 you could scan for known ... rootkits. http://www.rootkit.nl/ This could a start. Mandrake shoudl make tripwires and allt his seciurity stuff default. It would make life easier I think . Hopes this helps. Link to comment Share on other sites More sharing options...
bvc Posted April 27, 2004 Report Share Posted April 27, 2004 It was in /var/log/messages. I'm also worried because gconfd (which I can't find out about) keeps on starting with no intervention from me: eg gconfd (root-xxxx) starting (version 2.4.0.1) PID xxxx user "root" eek! that's normal...at least I've always seen it. Link to comment Share on other sites More sharing options...
Cannonfodder Posted April 27, 2004 Report Share Posted April 27, 2004 If you just don't trust it anymore, you can reinstall a new copy. Sounds like a copout but you get everything replaced. Just keep any special scripts and no other files. Link to comment Share on other sites More sharing options...
bvc Posted April 27, 2004 Report Share Posted April 27, 2004 from my /var/log/messages Apr 10 14:11:52 localhost gconfd (root-677): starting (version 2.4.0.1), pid 677 user 'root'I'd image it's because it's a daemon? I've never looked into why it starts. :unsure: Link to comment Share on other sites More sharing options...
Dustpuppy Posted April 27, 2004 Author Report Share Posted April 27, 2004 that's normal...at least I've always seen it. I'm glad it's normal... I think I just got a little jumpy after discoving my mistake with the firewall B) I've run rkhunter and it's all clear - phew! And my 'net connection's playing normal again, hurrah. I do get very jumpy about security here - the college's firewall etc is fab, but we're a science and technology college, so inside the firewall there are always going to be script kiddies in training wanting to show off :sigh: Many thanks to everyone! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now