<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<br><div><div>On Jan 8, 2009, at 8:40 PM, Michael B. Trausch wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">On Thu, 8 Jan 2009 20:14:07 -0500</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Mark Wright <<a href="mailto:mark_wright@bellsouth.net">mark_wright@bellsouth.net</a>> wrote:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div> <blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Has someone hacked my box and changed the password?<span class="Apple-converted-space"> </span>Specifically, <span class="Apple-converted-space"> </span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">before I reset the password and go on as if nothing happened, how</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">can I tell?</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Thanks for your thoughts.</div> </blockquote><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">If you left VNC open, I'd check your command history.<span class="Apple-converted-space"> </span>Check also your</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">system logs, and check your files for modification times which seem</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">wrong.<span class="Apple-converted-space"> </span>Check the process list for anything that looks unfamiliar to</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">you that would have been started since you last used your password.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Check your netstat list to see what network ports are in use and see if</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">there is anything in that list which you cannot account for.<span class="Apple-converted-space"> </span>Check</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">these things on other machines on your home network which are reachable</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">from your system, as well.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Do keep in mind that one of two things would have been required to</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">change your password:<span class="Apple-converted-space"> </span>(1) root access to the box, or (2) your current</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">password (note that I am assuming a reasonably sane PAM configuration</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">that doesn't permit you to change your password without first</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">supplying your current one). If someone got #2, and you have sudo</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">privileges, then they probably got #1 also, and someone who is</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">sufficiently learned on UNIX-like systems will be able to cover their</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">tracks pretty well if they get root access to your box. The only truly</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">safe option is to audit your ${HOME} and reinstall the system if you</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">suspect that you have been compromised in some way---well, that is,</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">it's the only truly safe option if you don't have signatures of your</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">files tucked away somewhere so that you can verify all of their</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">contents.<span class="Apple-converted-space"> </span>I don't know about your system, but on my system there are</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">over half a million files between my ${HOME} and /usr---there is simply</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">no way that I could verify them manually.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Essentially, if you can't be sure one way or another, reinstall the</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">system and start with a clean ${HOME}---or at least, keep your data,</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">and throw away any software in ${HOME} that you are unable to audit and</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">rebuild it.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-tab-span" style="white-space:pre"> </span>--- Mike</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><br></div></blockquote><br></div><div>Thanks Mike,</div><div><br></div><div>I had looked in /var/log/auth.log and found an entry at 7:30 this morning that I don't understand. I am still worried by what I see in this log even though I just solved the password problem.</div><div><br></div><div>As I stated in the original post I was using VNC from an iPod to get into the box. Well obviously it has whacked my keyboard. No matter what I do I can't get a number out of it. My password has lots of numbers. No matter what I try I get ()&^%$. So I patiently cut and pasted numbers from a text document to write out my password and then pasted that into the password field for the package manager. It worked fine, proving my password has not been changed. I've just lost the ability to type numbers.</div><div><br></div><div>A quick restart fixed the keyboard. My remaining question is does the entry in /var/log/auth.log indicate trouble? It shows some authorization action involving my userid at 7:30 this morning while I was on the road to Norcross. I don't know if this normal.</div><div><br></div><div>See the log below.</div><div><br></div><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: root : TTY=unknown ; PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/use_http_proxy </font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session opened for user mark by (uid=0) </font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session closed for user mark </font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: root : TTY=unknown ; PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/host </font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session opened for user mark by (uid=0) </font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session closed for user mark </font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: root : TTY=unknown ; PWD=/ ; USER=mark ; COMMAND=/usr/bin/gconftool --get /system/http_proxy/port </font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session opened for user mark by (uid=0) </font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Times New Roman" size="3" style="font: 12.0px Times New Roman">Jan 7 07:35:02 Gateway-Ubuntu sudo: pam_unix(sudo:session): session closed for user mark </font></div><div><font class="Apple-style-span" face="'Times New Roman'"><br></font></div></div></body></html>