I’ve been hacked.

Or, at least someone was trying. Thursday morning I looked at my ‘modem lights’ applet (which furthermore has a short activity graph) to see a lot of send activity despite the fact that I wasn’t doing anything. I quickly disconnected. Immediately I noticed some activity with cups, and it did a have job from ‘stdin’ that looked suspicious. Apparently it defaults to being a network print server. I shut down to clear any running programs, and left it that way overnight.

Friday morning, I restarted. Some of they gnome applets aren’t starting up properly, but there was a huge Debian update previously, and this was the first time I had restarted since, so I can’t be certain it is related. The logs showed a lot of activity on cups, but I haven’t yet found any detail beyond ‘stdin’ Later log analysis tools, pulling from some log file I apparently missed, showed repeated remote login attempts with random user names. This helped confirm the time, and that stuff was only happening for a few minutes before I logged off.

Anyway, I’ve installed several hardening programs, and will continue looking at more. I’ve got a bothersome level of logging and alerting on for the time being. Some process is sending every packet reject to the console, which gets very annoying when working in text screen programs.

But the firewall is set up now. I see far less background noise on the modem lights now – it’s pretty much silent when I’m not doing anything. I still need to see if I can find md5sums for some of the packages to verify them, but it looks likely no damage was done.

Posted Saturday, October 1st, 2005 under War Story.

Comments are closed.