0wned
It turns out that the error I was having earlier was a sympton of my being 0wned.
After a long day of snooping, I found:
- a user account that I did not make
- missing wtmp records
- weird processes running (’./xfsd’, ‘./90′)
- an IRC client compiled on the machine in a hidden directory somewhere, along with channel logs
- a cron script that seems to mail some information to a yahoo.com email address
- ssh logins from IP’s in Romania and the Philippines in
auth.log(determined using geobytes) - broken (trojaned?) binaries all over, with newer binaries that I was installing being modified as I watched
What a damn mess. I killed every process that wasn’t critical, and my idea of a fix was to apt-get upgrade the whole damn thing. Most of the packages were out of date, so I was hoping the newer versions would overwrite any compromised binaries.
The system still doesn’t feel normal. I get defunct processes all the time, weird hangs when running ps. There’s just too much shit on this system that I need and use daily to nuke it all and start over. It is just too customized, I’ve tweaked everything. (Not to mention the 123 day uptime.)
What’s the procedure for protecting myself now? Checking md5sum regularly? (debsums consistently returns mismatched md5sums, even though I verify by hand that they are correct. If debsums was a person, I would say that he has his head up his ass.) Some kind of port knocking scheme? Disallow all non-LAN connections altogether?
What is scary is that I would never have even realized I was intruded upon had the broken /bin/ls not tipped me off. I want to set something up such that I at least know I’ve been hacked before shit and fan meet.