Linux Box Hacked? - How to tell?
I got an email in my account the other day that said:
ALERT - Root Shell Access on: Fri Dec 3 15:22:33 SGT 2004
Normally when I log in root from office the message is:
ALERT - Root Shell Access on: Fri Dec 3 15:22:33 SGT 2004
from IP ADSL-AOL.231.232.123.34
so it was funny when the message I got had no IP address (meaning a user access perhaps?)
I went in via SSH Putty to check and in the /var/log directory I realised that all the messages, secure and other log file sizes were set to zero. Furthermore a chunk was missing out of the httpd log.
Is there a simple way to check whether I am compromised? I will be willing to share as much information as I can from my Linux box to help and hopefully this thread can help other newbies.
I have already run chkrootkit but it detected nothing except that a warning that the mysql log was zero (perhaps it was a log wiper?)
Lastly I consider myself a Linux intermediate, having experience in Cobalt Raqs and RH before moving to the current box which is installed with Trustix.
Thanks in advance! - Troff
