# help: I MAY be hacked

## persia

Hello

after installing this cool OS a couple of weeks ago, i justed exprienced my first crash (Actually it was a FREEZE) 

Nothing responded anymore, not the mouse, keyboard nothing and all the sudden too! I was just browsing this forum and bang....

So i rebooted and restarted my speedtouch modem.

Now a couple of friends of mine think of hacking other students as student humor. So i suspect they may be involved in this one and maybe they are joking around.  (They have done this often before when i did run NT and XP and one of the reasons for me to switch to Linux was security)

How can i verify this ? Please be clear on this, unlike my friends i am new to Linux.

Are there logs available? Can i check out what really happned with my computer ? Please someone help......

p.s. (i was just reading how to setup Iptables in the security section)

Thank you all guys

----------

## bmichaelsen

 *Quote:*   

> Are there logs available?

 

Yes. In

```
/var/log/
```

If you are kind of paranoid about your freinds you might consider using

```
*  app-admin/chkrootkit

      Latest version available: 0.41-r1

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 29 kB

      Homepage:    http://www.chkrootkit.org/

      Description: a tool to locally check for signs of a rootkit
```

Greetz, Björn

----------

## persia

Hi bmichaelsen 

ah yes i defenitly need to use that chkrootkit going to read the manuals tommorrow. 

But i ve just checked the logs at /var/log and i must say: Man i did nt know it was that much! Is there a way to browse through it in a smart way??

----------

## meowsqueak

You could use grc perhaps - app-misc/grc

----------

## TobiWan

 *persia wrote:*   

> 
> 
> Now a couple of friends of mine think of hacking other students as student humor.

 

You should consider looking for other "friends"   :Wink: 

If you want to take extreme measures for future use, let your machine reject all packages from your friends machines using iptables. That way, they can only bang their heads against your door but will never get in  :Very Happy: 

Setting up iptables is an essential anyway if you are connecting a machine to the net directly. You should take a look at shorewall since it really makes handling iptables easier.

Also, tripwire is a good idea, given that you set it up at a time when you are certain no security breach has occured so far. Tripwire will monitor your system for changes and compare any anything against a clean database which you should store on a CD or a disk with write protection. If someone tempers with your system he will "trip the wire".

In combination with iptables you should setup some kind of IDS, say snort for example. Snort will log any obvious attempts of scanning or hacking your machine, so you "know" where it came from.

Tobias

----------

## persia

Hi Tobi

thnx alot, very clear answer. I appreciate. Today i spoke to my school "frirends"  :Very Happy:  and yes i was hacked. Before it was always on saturday morning but they ve changed policies and decided to do some overwork.....

(ah at least they dont change anything or do any damage)

At the university where we can print for free:

I am now a pride owner of some hunderds of pages info on security, iptables, sniffers etc.... I have a load to read i think. 

 *Quote:*   

> You should consider looking for other "friends"  

 

he he they are SCHOOL(university) friends , and no fortunatley they are not reading this because they all run debian  :Smile: 

Tripwire:

good stuff ! i did nt know, i am reading my self into iptables right now after this i will setup the tripwire.

----------

## professorn

IDS = Intrusion Detection System

If they got static ip, block it?

----------

## persia

Just found it thnx

btw sorry for the many grammar and spelling faults and edits

----------

## professorn

And btw, consider doing a fsck on /dev/your/frineds/brain  :Smile: 

----------

## persia

man fsck : i understand, but then the rest ?

----------

## TobiWan

Hi,

 *persia wrote:*   

> thnx alot, very clear answer. I appreciate.

 

It's far from complete or detailed. Be sure to work yourself through iptables or at least find some software that does the dirty stuff for you. As I already mentioned, shorewall is nice. Bastille is nice too since it really helps iptables n00bs to setup a working firewall script.

 *persia wrote:*   

> Today i spoke to my school "frirends"  and yes i was hacked.

 

Did they just tell you and boast or have they been more specific as how they did it so that you have a chance to close the hole?

If they really did, I wouldn't take any chances and invest the time in a real reinstallation, setup iptables first thing after the installation and get Tripwire up and running.

With security you can't trust such friends. As a famous communist once said: Trust is good, control is better.

 *persia wrote:*   

> Before it was always on saturday morning but they ve changed policies and decided to do some overwork.....
> 
> (ah at least they dont change anything or do any damage)

 

They may promise you they didn't change anything but can you really trust they didn't install another backdoor? I wouldn't even if those "friends" were goodlooking blondes waiting to get laid by me.

 *persia wrote:*   

> At the university where we can print for free:
> 
> I am now a pride owner of some hunderds of pages info on security, iptables, sniffers etc.... I have a load to read i think.

 

Well then. Happy reading.

 *persia wrote:*   

>  *Quote:*   You should consider looking for other "friends"   
> 
> he he they are SCHOOL(university) friends , and no fortunatley they are not reading this because they all run debian 

 

Well, as I already indicated. Real friendship ends where security begins. Especially when they breached your security on purpose.

 *persia wrote:*   

> 
> 
> Tripwire:
> 
> good stuff ! i did nt know, i am reading my self into iptables right now after this i will setup the tripwire.

 

Tripwire is rather complicated. Be sure to dig yourself in the excellent docs.

A little hint. If you browse the Tripwire webpages (I think not the Open Source but the commercial ones) you will find an offer to receive a huge poster free of charge. In fact, it's two posters  :Cool: 

One is a funny "Servers under Siege" matrix, showing the routine of an IT person setting up a secure project and fighting against failures and so on.

The other one is the Common Security Exploit and Vulnerability Matrix 2.0 which is quite impressive since it shows common security flaws in commonly used software.

Security can be fun when you dive into it. Look at it as a challenge. Can you secure your system the best possible way?

The first step is mistrust. Always assume the worst and plan for the worst.

cheers,

Tobias

----------

## TobiWan

 *professorn wrote:*   

> IDS = Intrusion Detection System
> 
> If they got static ip, block it?

 

Yes. Simply add a rule to iptables rejecting all packets from those IPs. I know the origin of packets can be forged, but I assume that if his "friends" occupy the same student house, he can investigate their real IPs. Since they seem to know he is not into the whole thing too much, they probably won't anticipate such a harsh move. If he doesn't tell them that he rejects their traffic they have to guess themselves and then go to the trouble of forging someone else's IP.

I don't think they will keep up in the "race of arms" if he manages to install a working iptables configuration and rejects their packets. If he only runs up to date software (which is easy with Gentoo) and doesn't run insecure services, then he should be fine.

If he installs Tripwire after a clean installation (assuming the online installation fo Gentoo doesn't get compromised), then he can track their actions even if they got through the outer defenses.

Probably Bastille is the best start since it helps setting up a running firewall and closing other barn doors very fast and easy.

regards,

Tobias

----------

## barlad

By the way, I always wondered how someone could hack into a personal linux box that is not running any service. Sure, you can impersonate, fake, flood or whatever else you want but cracking into the box? 

How the hell do you do that? there is nothing to exploit!

----------

## professorn

 *persia wrote:*   

> man fsck : i understand, but then the rest ?

 

Uhm, it was a joke  :Very Happy: 

How do you know they hacked you? Sure you just didnt ask if they hacked you and they said We did and you didnt get any confir?

----------

## persia

a little history

before i ve used suse and red hat but i did nt like these distro's at all. (suse is horribly slow, red hat : not really free and the search for dependencies is a drag for a noob)

My collagues ( the univ. friends i was talking about) convinced me to get linux, they advised Debian and one them slackware. I choose instead gentoo, because i liked the portage idea.

So i am now here satisified and pride with my achievment (Gentoo installed from level 1). But then i run into trouble.

Today i was complaining, about i had troubles with Linux and that it freezes up sometimes. And the guys start laughing.... and start asking if it was late in the night? Then i knew the bastards were acting like clowns again....

But what i dont understand either is this: We have Xp&Linux machines but also some older Sparc models. 5 and 10 if i am not mistaking. One of the guys who is really into linux and always is talking about his debian told me that he could log me out any time! (while we were programming ont he  sparcs) So i asked him to do this. So he logged from a machine next to me into my machine (i did "WHO" and i could see him) and bang .. i was logged out??

.p.s.  they would nt tell how they did it.

----------

## persia

arrrgggg 

ok i think i am being hacked again. Had to log in again while i was writing the last messages. I lost control of my keyboard but everything else worked.......

----------

## professorn

You better get your IP tables up fast, or use the gentoo live cd if your forced because i think it has iptabeles, not sure but a friend of mine told me it has

----------

## persia

i did emerge iptables, i have compiled my kernel again with netfilter support. Now i have tried iptables -L but i get this:

 *Quote:*   

> ash-2.05b# iptables -L
> 
> modprobe: Can't locate module ip_tables
> 
> iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
> ...

 

----------

## persia

Hello Tobi

i checked the webiste of bastille but i see no! documentation! How is this possible ? Is it very convinient to configure or what ????

----------

## persia

 *Quote:*   

> i did emerge iptables, i have compiled my kernel again with netfilter support. Now i have tried iptables -L but i get this:
> 
> Quote:
> 
> ash-2.05b# iptables -L
> ...

 

I see i forgot more options in the sub-menus

i am compiling the kernel again with more options enables

p.s. tobi: as soon as kernel 2.6 comes out i format my whole disc and start from stage 1 installation again

----------

## 100%hound_dog

Not sure how you could have been hacked network wise if you had no services running. Now on the other hand if your Friends(?) had access to your computer they could have done about anything they wanted to. Do you have a bios password? Is your computer set to boot from the CD or floppy if one is loaded? If your computer is not bios password protected and is set to boot first from cdrom any joker could do anything they wanted to your system if they had access to it.  

   Tripwire - tripwire is indespensible as far as I am concerned. It is actually quite easy to install, just make sure you are doing it on a new, clean install or thier is really no point. With tripwire you will easily be able to see if anyone modifies, replaces ,deletes your files.  Just emerge the ebuild, then cd /etc/tripwire and run the install script you see.  Next  tripwire -m i , this is to create the database. To read the tripwire files that will be created in /var/lib/tripwire/report use twprint -m r -r (whatever the file you want to read). That is it. A small price to pay for peace of mind.

    Iptables- Compile Netfilter support into your kernel, and get ready to learn whatever method of rule creation you want to use ( shorewall, firewall builder, or if your like me just create your own firewall scripts and add them to the local startup file. 

     Chkrootkit- this seems like a good idea, just check for log file deletions, trojans, and such. I don't have much experience with it but it seems like a goodl idea.

   Just keep playing and learning, and watch out for those friends of yours.

----------

