Is my server hacked?

Folks-
I found something strange with my history on my Linux server; following
is the output from my "history" command. Just being curious, I
executed the command line 2, which changed my shell prompt to wierd
looking (un readable) characters.

I have 3 questions:
1. Is my server got hacked? Did someone access my account to execute
these commands?

2. How can I change the shell prompt to readable characters? the SET
PROMPT command does not seem to be working.

3. What do I need to do now i.e., next steps?

I am using RedHat Linux.

Thanks.
__________________________History Output ____________________________
1 ÿØÿà
2
^K^Q^U^O^L^L^O^U^X^S^S^U^S^S^X^Q^L^L^L^L^L^L^Q^L^L ^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L ^L^A^M^K^K^M^N^M^P^N^N^P^T^N^N^N^T^T^N^N^N^N^T^Q^L ^L^L^L^L^Q^Q^L^L^L^L^L^L^Q^L^L^L^L^L^L^L^L^L^L^L^L ^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^LÿÀ
3 ^K^A
4 ^K^P
5
<9d>ú^KÏ^LyÑßñoü宬cË^L<91>â<84><84><87><83>W.,<98 >¥Ã<92>&^RìT<92>I'¬^?ÿÐõUW.ë<99>^Mª^C<88><9f>w^\ ÿ
6
<80>#D¾3Âä²gÎ'Y,N2âõDFq<9f>ø¼Oa<8f><97>åÌ?W®9Ç<83> Ó)J^RÇþ7^Oé:Õ}`º»s¬ôçí<9a><8d>~<81><82>Ý4÷{\®ýLÃyÉ »-ÃÙ[}6<92>9s
<9f>óZßúk7¥ô\Î¥h
7
®s<88>`ý^CÚDê_üæÛ><87>øD<94>ó**»<83>\7^S^M*Ãh^D<83 >´n^[?O¹*H5<8d>Ô´6À^$µ¥¥§kv<86>}^VØÏwþ<8a>Ø·<99>õE¦×ë× ¹<96>z<82>Ñ[·m<9d>í¯o©é·k½ß¿ù<9f>Í{^Q^YõJöÃÙ<96>ÆY®ç¶·^MÚÈÓ~ßj Jpª«^?óa<9e>
h%¯^M-&^?{÷v«´<8b>(µ·b5<9e>¶;Ûn;ØÆ<98>}dY^×<8b>6ÿ
8 ^CÓýá÷<85>Kÿ
9 ESliceType
10 leftOutsetlong
11
^K^Q^U^O^L^L^O^U^X^S^S^U^S^S^X^Q^L^L^L^L^L^L^Q^L^L ^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L ^L^A^M^K^K^M^N^M^P^N^N^P^T^N^N^N^T^T^N^N^N^N^T^Q^L ^L^L^L^L^Q^Q^L^L^L^L^L^L^Q^L^L^L^L^L^L^L^L^L^L^L^L ^L^L^L^L^L^L^L^L^L^L^L^L^L^L^L^LÿÀ
12 ^K^A
13 ^K^P
14
<9d>ú^KÏ^LyÑßñoü宬cË^L<91>â<84><84><87><83>W.,<98 >¥Ã<92>&^RìT<92>I'¬^?ÿÐõUW.ë<99>^Mª^C<88><9f>w^\ ÿ
15
<80>#D¾3Âä²gÎ'Y,N2âõDFq<9f>ø¼Oa<8f><97>åÌ?W®9Ç<83> Ó)J^RÇþ7^Oé:Õ}`º»s¬ôçí<9a><8d>~<81><82>Ý4÷{\®ýLÃyÉ »-ÃÙ[}6<92>9s
<9f>óZßúk7¥ô\Î¥h
16
®s<88>`ý^CÚDê_üæÛ><87>øD<94>ó**»<83>\7^S^M*Ãh^D<83 >´n^[?O¹*H5<8d>Ô´6À^$µ¥¥§kv<86>}^VØÏwþ<8a>Ø·<99>õE¦×ë× ¹<96>z<82>Ñ[·m<9d>í¯o©é·k½ß¿ù<9f>Í{^Q^YõJöÃÙ<96>ÆY®ç¶·^MÚÈÓ~ßj Jpª«^?óa<9e>
h%¯^M-&^?{÷v«´<8b>(µ·b5<9e>¶;Ûn;ØÆ<98>}dY^×<8b>6ÿ
17 ^CÓýá÷<85>Kÿ
18 <x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='XMP toolkit 3.0-28,
framework 1.6'>
19 <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'
xmlns:iX='http://ns.adobe.com/iX/1.0/'>
20 <rdf:Description
rdf:about='uuid:86c1a02f-df30-11d8-8e78-e7e2ee69ab63'
21 xmlns:exif='http://ns.adobe.com/exif/1.0/'>
22 <exif:ColorSpace>4294967295</exif:ColorSpace>
23 <exif:PixelXDimension>131</exif:PixelXDimension>
24 <exif:PixelYDimension>145</exif:PixelYDimension>
25 </rdf:Description>
26 <rdf:Description
rdf:about='uuid:86c1a02f-df30-11d8-8e78-e7e2ee69ab63'
27 xmlns:pdf='http://ns.adobe.com/pdf/1.3/'>
28 </rdf:Description>
29 <rdf:Description
rdf:about='uuid:86c1a02f-df30-11d8-8e78-e7e2ee69ab63'
30 xmlns:photoshop='http://ns.adobe.com/photoshop/1.0/'>
31 <photoshop:History></photoshop:History>
32 </rdf:Description>
33 <rdf:Description
rdf:about='uuid:86c1a02f-df30-11d8-8e78-e7e2ee69ab63'
34 xmlns:tiff='http://ns.adobe.com/tiff/1.0/'>

__________________________History Output - End of Page 1_________

"Tom" <junkemail12@yahoo.com> writes:

>Folks-
>I found something strange with my history on my Linux server; following
>is the output from my "history" command. Just being curious, I
>executed the command line 2, which changed my shell prompt to wierd
>looking (un readable) characters.

>I have 3 questions:
>1=2E Is my server got hacked? Did someone access my account to execute
>these commands?

No idea but I would suspect that something has overwritten your .history
file.

>2=2E How can I change the shell prompt to readable characters? the SET
>PROMPT command does not seem to be working.

close the window and reopen it is the easiest.
Or
stty -sane
might work. What happened was an output character switched your output
terminal on you.


>3=2E What do I need to do now i.e., next steps?

>I am using RedHat Linux.

unruh@string.physics.ubc.ca (Bill Unruh) wrote in news:cvvcpe$9rb$1
@nntp.itservices.ubc.ca:

>>I have 3 questions:
>>1=2E Is my server got hacked? Did someone access my account to execute
>>these commands?
>
> No idea but I would suspect that something has overwritten your .history
> file.
>

From what I can see it looks like a graphic file. I would do some file
structure cleanup I think

Gandalf Parker

In article <1109561156.143293.309210@g14g2000cwa.googlegroups .com>, Tom wrote:

>I found something strange with my history on my Linux server; following
>is the output from my "history" command. Just being curious, I
>executed the command line 2, which changed my shell prompt to wierd
>looking (un readable) characters.

Not surprising - most shells really expect something a little more like
text commands. The 'reset' command (usually, a link to 'tset') may put
the terminal back into a sane mode.

>I have 3 questions:
>1. Is my server got hacked? Did someone access my account to execute
>these commands?

Actually, it looks like someone redirected a .pdf file to the terminal, or
you typed a command that tried to run a .pdf file, and the shell gamely
tried to execute the file contents as commands.

>2. How can I change the shell prompt to readable characters? the SET
>PROMPT command does not seem to be working.

If 'reset' or 'tset' doesn't do the job, I usually just kill the nxterm,
and open a new one.

>3. What do I need to do now i.e., next steps?
>
>I am using RedHat Linux.

Is it up to date? Is it exposed to malicious users (not limited to the
Internet)? Normally in a situation where I'm mildly concerned that the
system may be compromised, I'll use the package manager to verify the
integrity of the system (as root, 'rpm -Va > files.2.check' and see the
rpm man page for an explanation of the output), though a decent skript
kiddie could defeat that check.

Old guy

Hi,

I'm not sure how it happened. But for the terminal corruption, I
usually do:

echo -e "\033c"

Hopefully, that would reset your terminal display.

Hope this helps,
mat