Re: [cobalt-security] Have I been hacked?

["Michael Stauber" <cobalt@xxxxxxxxxxxxxx>]

Hi Simon,

> I have just had my daily tripwire report and it is horrible... loads
of
> files have been modified.  I have included the summary here below.
> We haven't touched the box ourselves so am I in trouble?

This Tripwire summary could be misleading. It's just a summary, so we
don't know which files and directories it monitors to begin with. In
specific we don't know which files apparently were removed and triggered
this report. 

So I'd say that's not enough information to give a solid answer. But
yes, the report - as fuzzy as it is - would make me suspicious as well.
My recommendations are as follows: 

Look at the detailed tripwire report to find out which files were
changed. Look at them, evaluate what legitimate reason could have cause
the changes and if you find none, then try to find out what the changed
files do.

Grab chkrootkit from www.chkrootkit.org and run a test on your machine
with that. Also do a portscan from the outside to check for open ports
(disable Portsentry first, if you got it installed ;o).

> Also the logcheck directly after this reports a restart could this be
what
> caused the changes?

Restart of what? Was it a server reboot or just a restart of the logging
facility? If it was a server reboot, then yes, this could have cause
filesystem changes that an improperly configured Tripwire (or clone
thereof) stumbles across under various circumstances. Hard to tell
without knowing what your Tripwire monitors and what not.

-- 
With best regards,

Michael Stauber
SOLARSPEED.NET