Topic: I think I've been hacked!

[Steven]

When you log on to your server, you get a line that says
Last logged on from......
This now has a michine name that is not part of my network and that I definatly do not know.

Surely this means someone has somehow gained access to my server(I am the only one who knows the password and I have a dynamic Ip Address that changes every 24 hours) How can this be?

Can i make sure and /or see what was done?

Thanks
Steven

[guestHH]

check your log files (and creation date)

report to smesecurity@mitel.com

[Craig]

Log back into the server as root.  Then use the 'last' command.

This will show you when users were last logged in, logged out, how long they were in the system for and date/time and importantly in your case - where they came from.

Using the values that you get you can look in you log files to see if there is any thing in there around the same time.  Look in your .bash_history and see if there is some commands that you don't recognise.

Of course if you have been hacked then there is a high chance that they will be clever enough to cover their own tracks in the files just mentioned and you may never know if you were hacked.

In which case you might want to try a reinstall with a change of password.

[Steven]

Thanks Guys, but I'm an idiot!
That was putty which I use from my PC to access the server, but it's very strange that it shows that I logged on from another (real) domain, and also it only started doing that at 9 this morning (from "last"command), before which it used my ip address, and there are some logons after 9 that still use my ip address.

Strange
Sorry guys
Steven

[Tom Carroll]

Craig, I just used the "last" command and it shows a "public" user who logged in through the ftp daemon.  Do you know what this "public" user is?

Would be an anonymous ftp session?

Thanks!

Tom

[Terry Brummell]

Log in via FTP as an anonymous user and find out for yourself.  I just did it and yes, that connection shows up as public.

Terry