# Hmm.... Cracked?

## Wicked Wesley

Good day,

I just found my Gentoo Server didn't respond, so I plugged a screen in and I see a kernel panic, very not fun  :Wink:  So I got the server back up and it seems that some SSH things have changed (couldn't login with my DSA keys).

So finally I log in, and I can see no trace, nothing in the logs or something. I just found 2 things:

```
145.53.236.229 - - [23/Dec/2004:18:44:32 +0100] "recipientid=102&sessionid=3148" 200 50 "-" "-"
```

In my Apache2 log

And a file /root/.fishsrv.pl

The file is some script I don't really understand, I have never seen it before, very weird. So did I got cracked?

The only open port was 80

Server version: Apache/2.0.52

Kernel: 2.6.9-gentoo-r6

Thank you for your time,

Wesley

----------

## hds

the file belongs to the fish server  :Wink: 

----------

## Wicked Wesley

What is fish server? Can't remember I installed anything fishy  :Razz:  Gentoo Portage doesn't show anything I installed with fish.

----------

## hds

its a secure ftp protocoll, likewise to sftp. i think it belongs to KDE.

fire up google and look for "fishsrv.pl"

----------

## br0mGreV

If you think there is a possibility that you have been hacked, you check for a trace of any rootkits, using the chkrootkit software : http://www.chkrootkit.org/

have you checked your files access time, and your /tmp for presence of suspect files ?

----------

## Wicked Wesley

oke thanks, I'm gonna check it all out now!

----------

