Re: i think i'm hacked - is this the right place to ask ?

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Thu, 17 Nov 2016 03:22:41 +0100, "Lentes, Bernd" said:
> The host should not be accessible from the internet (i trust our firewall
> admin ...).

The fact you trust the firewall admin doesn't in fact mean the firewall
was correctly configured, and the software patched.

> last says(ip addresses deleted for the root logins):

If your system was configured to allow direct logins by root, rather
than requiring login to an existing userid and then use /bin/su or
/bin/sudo to get root access, you're going to have a bad auditing day.

> guest-ic tty9         :2               Wed Nov 16 15:13 - 15:13  (00:00)
> guest-gi tty8         :1               Wed Nov 16 14:17    gone - no logout

> Tty8 and tty9 ? Sounds strange to me.

The :1 and :2, combined with the tty8 and tty9, tend to indicate that
these were logins on the GUI at the console.  Time to check who had
physical access to the machine. (A misconfigured gdm that allows remote
logins will also get you :1 and :2, but won't have a corresponding tty entry)

Given that your organization doesn't seem to have any incident response
or security expertise, there is a *very* high chance that this is just the
tip of the iceberg, and you may likely have a lot of *other* compromised
systems.  Be prepared to check every single server and PC.

Attachment: _bin
Description: