Have I been hacked

[cardassianscot]

I run a small network for a College. We have two networks with linux and windows machines on both, connected through a internet gateway running linux. Anyway my file server ran out of space on its main partition causing various problems. I traced the error to some very large log files (2 GB) in my /var/log/samba directory. I deleted the files and everything works fine. However, I am now wondering if one of the files was due to someone outside my firewall protected network trying to access my samba shares. Reason: one of the large files was for a machine called cc. Which is fine, I have a machine called cc on my network. However, I was trying to see what machines were working and I tried to ping this machine. However, cc is a windows machine so I shouldn't be able to ping it (I had forgotten this since I also use windows machine where it is possible to ping other machines on your localnetwork by name if they have file sharing enabled). However it returned an IP address outside my network. I get the same IP address from all the linux machines on my network but I get no IP address corresponding to cc when I try to ping it from my home computer (different ISP), I am loging in remotely from home so I cannot verify what I get from a windows machine on my network. I was able to trace the IP address to Seatlle.

 

So my question, have I been hacked by this IP address or is there another less sinster explanation?

 

Thanks for any help recieved.

[Counterspy]

There is a program called chkrootkit which will go part way to solving your problem. Get it here: http://www.chkrootkit.org/ .

 

Counterspy

[cardassianscot]

Thanks

[AA]

Well the fact that you can ping a windows machine in your network just means one of two things.

1) there is an entry for that machine in /var/hosts <<OR>>

2) you have a dns server that told your linux box the ip of the windows

box 'cc'. Your proxy might be running a dns server.

 

Now as for the log files.... that is a good question. Could you post that part of the log file please. make it 10 lines above to 10 lines below the point where you see cc trying to access you samba shares. If its too big james@tuksfm.co.za is my mail address.

 

Also, you should be running some kind of firewall. Check the logs for that.

 

But yeah. let me know what you find

[cardassianscot]

Sorry, I deleted the log files, maybe I should have keep a hold of them but when they totaled 6GB I didn't really think I had the space.

 

As for the 'cc' machine, I don't have any local dns servers running, but the weird thing is, is that it is not the ip address of the local machine but rather an external one.

 

Anyway thanks for the tips.

[Counterspy]

Please tell is the outcome of this misadventure so others can profit from the experience. If you have the time, a stp-by-step would be really appreciated.

 

Counterspy

[cardassianscot]

I have downloaded chkrootkit and found nothing wrong. I can't find any suspicious references in any of the log files I still have.