Jump to content
Sign in to follow this  
jmr0311

I'm probably being HACKED, help !!!

Recommended Posts

What is .ICEauthority hidden file in my home directory ? . I notice my machine a little slow, and I'm wondering if my system is being compromise. I'm not running any server, and there is only one user, ME. I read this line " MIT-MAGIC-COOKIE " inside that file. In one instance I notice around three hidden files with this name " .dcopserver_localhost_0 " and all of the sudden they disappear in front of my eyes. Can anyone help me understand what's going on?

 

Javi

Share this post


Link to post
Share on other sites

Calm Down, you're not being hacked...

 

Those files are a normal part of Mandeake (probably all versions of Linux). I believe the dcop ones are KDE related, but they might not be.

Share this post


Link to post
Share on other sites

The .ICEauthority has to do with letting users access unix socket services i believe (like xfs or logging). and yes, the .dcop files are from KDE. You're not being hacked, so chill out.

Share this post


Link to post
Share on other sites

MIT-MAGIC-COOKIE

 

The MIT-MAGIC-COOKIE protocol allows Xdm to create a hard-to-guess token that is only readable by the user account which successfully logged in via Xdm. It uses the Unix file system access control to protect the token. The user can copy this token to the user's home directories on other systems to allow clients on those hosts to connect to the X server. [sch91]

 

When using MIT-MAGIC-COOKIE-1, the client sends a 128 bit ``cookie'' along with the connection setup information. If the cookie presented by the client matches one that the X server has, the connection is allowed access. The cookie is chosen so that it is hard to guess; xdm generates such cookies automatically when this form of access control is used. The user's copy of the cookie is usually stored in the .Xauthority file in the home directory, although the environment variable XAUTHORITY can be used to specify an alternate location. Xdm automatically passes a cookie to the server for each new login session, and stores the cookie in the user file at login.

 

The cookie is transmitted on the network without encryption, so there is nothing to prevent a "network snooper" from obtaining the data and using it to gain access to the X server. This system is useful in an environment where many users are running applications on the same machine and want to avoid interference from each other, with the caveat that this control is only as good as the access control to the physical network. In environments where network-level snooping is difficult, this system can work reasonably well.

 

I found that information doing some google and that's why I'm a little concern.

 

Javi

Share this post


Link to post
Share on other sites

I'm trying to install Chkrootkit in my system but I'm getting this error, any idea welcome;

 

[root@localhost chkrootkit-0.43]# make sense

gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c

gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c

gcc -DHAVE_LASTLOG_H -o ifpromisc ifpromisc.c

gcc -o chkproc chkproc.c

gcc -o chkdirs chkdirs.c

gcc -o check_wtmpx check_wtmpx.c

gcc -static -o strings-static strings.c

/usr/bin/ld: cannot find -lc

collect2: ld returned 1 exit status

make: *** [strings-static] Error 1

[root@localhost chkrootkit-0.43]#

 

Javi

Share this post


Link to post
Share on other sites
[root@localhost root]# urpmi --test chkrootkit

   ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/devel/cooker/cont rib/i586/chkrootkit-0.43-1mdk.i586.rpm
installing /var/cache/urpmi/rpms/chkrootkit-0.43-1mdk.i586.rpm
Preparing...                ##################################################
Installation is possible
[root@localhost root]#

Share this post


Link to post
Share on other sites

here's a list of servers from which you can download chkrootkit for Mandrake Linux 10 (no need to try to grab it from cooker, which -could- be unstable).

 

or you can just add a contribs source via easy urpmi, then use Mandrake Control Center -> Software -> Install Sofware and search for it in the list.

 

also, .ICEauthority and .dcops*server files are normal, and do come and go. if you use KDE, dcops is part of KDE and creates temporary files. I would worry more about watching network activity to see if any strange ports are open (run netstat at a command line) or being used.

 

the slowness of your computer maybe contributed to something else. whenever the system gets loaded down like that, run "top" in a terminal and see what process is using the most resources.

Share this post


Link to post
Share on other sites

As others have said the .Xauthority is needed so YOU can connect to your own Xserver...well, actually the one owned by the xdm (or gdm or mdkdm) process where you use the GUI login....

 

Its good to be concerned about security but your not transmitting it anywhere except localhost ... the comment you read is more relevant to mutliple users on a single workstation using dumb xterms.

 

Now you started its always good to have security so follow the chkrootkit instructions...

Share this post


Link to post
Share on other sites

Hi guys. I did notice something. This is the way when I open terminal that the first line in terminal use to look;

[jmr0311@home-desktop jmr0311]$

 

Now, after I seen all this unexplicable behavior in my system I notice the line in terminal change to this;

[jmr0311@localhost jmr0311]$

 

I haven't done any change to my system. How that got change without the intervention of somebody ? I still think that something is going on on my system.

 

Javi

Edited by jmr0311

Share this post


Link to post
Share on other sites

its just using the localhost alias instead of the hostname which prob means you have changed your internet connection or one is with, one without.

 

If you truly wanna check then I'd try a live CD like knoppix and boot and install the chkrootkit for debian (if its not in knoppix)

 

These is probably a security version you could use with chkrootkit already installed on a live CD...

Share this post


Link to post
Share on other sites
its just using the localhost alias instead of the hostname which prob means you have changed your internet connection or one is with, one without.

That's the point, I haven't done anything to my system that could suggest why it change.

 

Hi anon, what do you mean with that ?. I being running my mandrake system for about three month using the way it was [jmr0311@home-desktop jmr0311]$ without any problem. Why now decide to change on its own or perhaps maybe someone did ti.

Share this post


Link to post
Share on other sites
Guest anon

You have posted here using two IPs. Both of them on a basic scan tell me your site is down. This tells me that either your site is really down or your blocking ping requests. Further checks say that both the IPs you used here are indeed up and running, but the ports are either filtered or closed. You seem to running a fairly tight ship there so i think its unlikely you have been hacked.

Unless ofcourse, the box your worried about is not the one your posting from. :juggle:

Share this post


Link to post
Share on other sites

How come I have posted using to different IP's. I only have one system at my home. Okay, I think that is because I use a computer at my workplace to post sometimes. But can you explain how my system got chage from;

[jmr0311@home-desktop jmr0311]$ to this [jmr0311@localhost jmr0311]$

Do you think that there is a possibility, an application running in my system did it ?

Thanks for taking the time and help me understand all this.

 

javi

Share this post


Link to post
Share on other sites

have you looked in all the logs?

 

start watching /var/log/messages in real time. In a terminal, su to root and do

tail -f /var/log/messages

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...