Was I hacked?

(After posting this in alt.os.linux.mandrake just now, I got a tip on
posting it here as well. My system is running Mandriva LE 2005.)

I have ADSL and a small home network running behind a 3com OfficeConnect
Cable/DSL Gateway with integrated firewall (enabled!). Running LE 2005,
fully updated.

Last night I became aware of gkrellm showing unexpected in & outgoing
network traffic on my desktop computer. After turning off all services I
knew of needing network access (ntpd, kshowmail, Mandriva update icon,...)
without the traffic seasing, I shut down the desktop's network connection
in the control centre. I reconnected and saw the same traffic appear
instantly. I couldn't remember any command to check which
user/deamon/program was using network, although I belive I have seen
something in this group before (can't find it again now). After
considering options, given my very limited knowledge on the topic, I
activated Shorewall (on the desktop) and blocked all services except ssh.
That seemed to block/stop the unwarranted traffic, but I turned off the
box before going to sleep (don't usually).

Oh, and before I turned on Shorewall, I downloaded and ran chkrootkit from
contrib. It actually stopped with the message "Checking 'chkutmp': ... not
tested: cant't exec /usr/lib/chkrootkit/chkutmp"
And listing that file yields:
"ls: /usr/lib/chkrootkit/chkutmp: No such file or directory"

After work today I remembered to check the gateway's log, and I found the
following messages (sorry anout the word wrap):

2005/04/22 09:38:17 ** IP Spoofing ** <IP/TCP> 192.168.1.250:4798 ->>
<my.current.isp.address>:135
2005/04/22 09:54:13 ** Unauthorized HTTP Access ** <IP/TCP>
64.8.38.49:47310 ->> <my.current.isp.address>:8000
2005/04/22 09:54:16 ** Unauthorized HTTP Access ** <IP/TCP>
64.8.38.49:47310 ->> <my.current.isp.address>:8000

And then, two days later:
2005/04/24 02:53:29 ** Unauthorized HTTP Access ** <IP/TCP>
62.57.69.98:3754 ->> <my.current.isp.address>:8000
2005/04/24 02:53:32 ** Unauthorized HTTP Access ** <IP/TCP>
62.57.69.98:3754 ->> <my.current.isp.address>:8000

Yesterday - April 26 - showed no such entries - just the normal request &
acknowledge on IP address with my ISP.

I did a whois on the IP addresses shown in the log, one is in the US and
the other in Spain. I guess I should send an abuse report to both?


When I tried to ssh in from my laptop just now, I got the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ @ WARNING:
REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ IT IS POSSIBLE
THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on
you right now (man-in-the-middle attack)! It is also possible that the RSA
host key has just been changed. The fingerprint for the RSA key sent by
the remote host is <removed_by_giarle>. Please contact your system
administrator. Add correct host key in /home/giarle/.ssh/known_hosts to
get rid of this message. Offending key in /home/giarle/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle
attacks. X11 forwarding is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,password,keyboard-interactive).

Needless to say - paranoia is starting to get the better of me...

Any good advise on how to proceed from here is greatly appreciated. Is
there any log file that will show me what took place last night?

Thanks,
Giarle


--
Reg. Linux User 276465

The command to check which program is doing what on the network is

lsof -i

It gives a lot of info.

I wondered once about the huge amount of incoming traffic on my network
card (and now the constantly flashing "WAN" light on my firewall
appliance) so used Ethereal to see what was going on. It was all ARP
requests being broadcast across the NTL network. Ethereal can be very
useful though may be overkill for some things. iftop is useful (though
thoroughly boring now I have the firewall).

I quite often see automated requests to my web server. This is common
nowadays and properly configured not a problem. If any unusual request
comes in it should have a 400 series error code with it, such as 404 not
found or 414 not allowed.

There was a vulnerability in ssh a while back so check your version.
Mine's only open to the internal network and is version 3.8.1p1-8.sarg (on
a Debian system).

- Richard

Richard Corfield <rcnews2@littondale.dyndns.org> wrote in
news:pan.2005.04.27.21.13.38.218521@littondale.dyn dns.org:

> iftop is useful (though
> thoroughly boring now I have the firewall).
>

Wow, iftop is cool as hell! I just tried it out and that is one, nifty
tool. Thanks for the info.

--
~Ohmster
ohmster at newsguy dot com

On 2005-04-28, Ohmster <notareal@emailaddress.com> wrote:

> Richard Corfield <rcnews2@littondale.dyndns.org> wrote in
> news:pan.2005.04.27.21.13.38.218521@littondale.dyn dns.org:
>
>> iftop is useful (though
>> thoroughly boring now I have the firewall).

> Wow, iftop is cool as hell! I just tried it out and that is one, nifty
> tool. Thanks for the info.

If you like a graphical representation of the same type of information,
check out "etherape":

http://etherape.sourceforge.net/

--

John (john@os2.dhs.org)

On 2005-04-27, Richard Corfield <rcnews2@littondale.dyndns.org> wrote:

> iftop is useful (though thoroughly boring now I have the firewall).

I don't know. I run it on my firewall to see exactly what is coming and
going through the firewall in real time.

--

John (john@os2.dhs.org)

John Thompson <john@vector.os2.dhs.org> wrote in
news:slrnd72hf1.ath.john@vector.os2.dhs.org:

> If you like a graphical representation of the same type of information,
> check out "etherape":
>
> http://etherape.sourceforge.net/

Will do. Even the apachetop tool looks pretty nifty. Thanks.

--
~Ohmster
ohmster at newsguy dot com