Am 12.07.2005 um 15:25 schrieb Jose Barroca: > 1) since SMARTMONTOOLS smartctl showed a huge value of > REALLOCATED_SECTOR_Ct, my disk was about to fail;
Make a backup of everything important. And do it now. Then reinstall your system onto a new disk. If a hard disk starts to reallocate sectors it is time to replace it. The fact that there are corruptions in the file system indicates that your drive may already have run out of spare sectors. > 2) my machine had been compromised and the binaries changed. Well, but > would an hacked version of TOP show "segmentation fault"? If so, why? > Upon friendly suggestion I went through the logs, and did find some > peculiar things. I'm not completely certain the machine has been > compromised, though: Even though an intruder can make mistakes, too, this is probably the result of your failed disk. > - I have two machines connected to the internet through a cable modem router > - one of the machines had a sshd running, which I used to access it from > the outside. A NAT router does _not_ replace a firewall. > - over the course of one week, this machine suffered a series of > password/user attacks (it looks like someone tried to use some program > to gain access) This has already been discussed on this list a few times in the last weeks. The essence: Do not allow ssh logins for root, use good passwords, or better disable password logins and use ssh keys only. If you can, use iptables to make the ssh port accessible only your own ip addresses. Maybe look at "port knocking", if you're paranoid. > - the auth.log recorded the following lines on a day the second machine > (which had the files with owner 32) stayed on ininterruptly, without my > supervision (a very poor one, anyway): > > Jul 8 06:25:04 abafado su[24024]: + ??? root:nobody > Jul 8 06:25:04 abafado su[24024]: (pam_unix) session opened for user > nobody by (uid=0) > Jul 8 06:25:04 abafado su[24024]: (pam_unix) session closed for user nobody > Jul 8 06:25:04 abafado su[24026]: + ??? root:nobody > Jul 8 06:25:04 abafado su[24026]: (pam_unix) session opened for user > nobody by (uid=0) > Jul 8 06:25:04 abafado su[24026]: (pam_unix) session closed for user nobody > Jul 8 06:25:04 abafado su[24028]: + ??? root:nobody > Jul 8 06:25:04 abafado su[24028]: (pam_unix) session opened for user > nobody by (uid=0) > Jul 8 06:27:18 abafado su[24028]: (pam_unix) session closed for user nobody These lines are telling you that your local root user has used "su" to execute a command as "nobody". Pretty normal. > I'm still learning the ropes, and sys-forensics is not that easy.. Now, > would anyone be so kind as to give me some feedback, on whether this is > a security issue (or an hardware thing), and whether it is worth letting Hardware thing. Regards, Dennis -- Send personal mail to [EMAIL PROTECTED] only. Off-list mails to [EMAIL PROTECTED] will not reach me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
