Dustpuppy Posted April 26, 2004 Report Share Posted April 26, 2004 Hi, I've been running 9.2 for the past month or so on a large college network, and I've just realised that I did something VERY stupid when I set the thing up: I thought on the firewall you checked the boxes for services you wanted to be able to use, rather than what you want other people to have access to! So I've had web server, domain name server and ftp enabled. I've now _dis_ enabled them (no boxes checked under drakfirewall), but is there any way of checking my system hasn't been hacked? A couple of things worry me: 1) my net connection is slower than it ought to be 2) I'm getting lots of martians in /var/log/messages 3) I've just found an entry in the system logs "forbidding remote root login" Should I be worried? I am, as you can tell, a complete n00b! Quote Link to comment Share on other sites More sharing options...
bvc Posted April 26, 2004 Report Share Posted April 26, 2004 the logs basically. What log said "forbidding remote root login"? As a user you can open a terminal>su to root> and do tail -f /var/log/messages and monitor in realtime B) Quote Link to comment Share on other sites More sharing options...
Dustpuppy Posted April 27, 2004 Author Report Share Posted April 27, 2004 It was in /var/log/messages. I'm also worried because gconfd (which I can't find out about) keeps on starting with no intervention from me: eg gconfd (root-xxxx) starting (version 2.4.0.1) PID xxxx user "root" eek! Quote Link to comment Share on other sites More sharing options...
Michel Posted April 27, 2004 Report Share Posted April 27, 2004 you could scan for known ... rootkits. http://www.rootkit.nl/ This could a start. Mandrake shoudl make tripwires and allt his seciurity stuff default. It would make life easier I think . Hopes this helps. Quote Link to comment Share on other sites More sharing options...
bvc Posted April 27, 2004 Report Share Posted April 27, 2004 It was in /var/log/messages. I'm also worried because gconfd (which I can't find out about) keeps on starting with no intervention from me: eg gconfd (root-xxxx) starting (version 2.4.0.1) PID xxxx user "root" eek! that's normal...at least I've always seen it. Quote Link to comment Share on other sites More sharing options...
Cannonfodder Posted April 27, 2004 Report Share Posted April 27, 2004 If you just don't trust it anymore, you can reinstall a new copy. Sounds like a copout but you get everything replaced. Just keep any special scripts and no other files. Quote Link to comment Share on other sites More sharing options...
bvc Posted April 27, 2004 Report Share Posted April 27, 2004 from my /var/log/messages Apr 10 14:11:52 localhost gconfd (root-677): starting (version 2.4.0.1), pid 677 user 'root'I'd image it's because it's a daemon? I've never looked into why it starts. :unsure: Quote Link to comment Share on other sites More sharing options...
Dustpuppy Posted April 27, 2004 Author Report Share Posted April 27, 2004 that's normal...at least I've always seen it. I'm glad it's normal... I think I just got a little jumpy after discoving my mistake with the firewall B) I've run rkhunter and it's all clear - phew! And my 'net connection's playing normal again, hurrah. I do get very jumpy about security here - the college's firewall etc is fab, but we're a science and technology college, so inside the firewall there are always going to be script kiddies in training wanting to show off :sigh: Many thanks to everyone! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.