# Was I hacked?



## evilmrhenry (Dec 14, 2001)

Debain testing.

While web browsing, I noticed the hard drive was being accessed for no apperant reason. Running System Guard, I noticed that the 'find' command was running, with the login set to "nobody". I didn't have enough permissions to end the process as a regular user, but a console window, su, and kill command ended it. Shortly after killing the process, I noticed the 'ls' command was being run.

At this time, I disconnected the computer from the Internet, and looked at the log files. auth.log looks fine, but to get a second opinion:


```
Apr 17 12:10:28 box sshd[542]: Server listening on 0.0.0.0 port 22.
Apr 17 12:12:26 box kdm[825]: (pam_unix) session opened for user reg_user by (uid=0)
Apr 17 12:15:53 box su[1325]: + ??? root:nobody
Apr 17 12:15:53 box su[1325]: (pam_unix) session opened for user nobody by (uid=0)
Apr 17 12:17:01 box CRON[1398]: (pam_unix) session opened for user root by (uid=0)
Apr 17 12:17:01 box CRON[1398]: (pam_unix) session closed for user root
Apr 17 12:19:02 box su[1536]: (pam_unix) authentication failure; logname= uid=1000 euid=0 tty=pts/0 ruser=reg_user rhost=  user=root
Apr 17 12:19:05 box su[1536]: pam_authenticate: Authentication failure
Apr 17 12:19:05 box su[1536]: - pts/0 reg_user:root
Apr 17 12:19:08 box su[1542]: + pts/0 reg_user:root
Apr 17 12:19:08 box su[1542]: (pam_unix) session opened for user root by (uid=1000)
Apr 17 12:19:24 box su[1615]: + ??? root:mail
Apr 17 12:19:24 box su[1615]: (pam_unix) session opened for user mail by (uid=0)
Apr 17 12:20:01 box CRON[1817]: (pam_unix) session opened for user root by (uid=0)
Apr 17 12:20:01 box CRON[1817]: (pam_unix) session closed for user root
Apr 17 12:30:01 box CRON[2427]: (pam_unix) session opened for user root by (uid=0)
Apr 17 12:30:01 box CRON[2427]: (pam_unix) session closed for user root
Apr 17 12:31:52 box su[2551]: + pts/1 reg_user:root
Apr 17 12:31:52 box su[2551]: (pam_unix) session opened for user root by (uid=1000)
Apr 17 12:31:52 box su[2553]: + pts/1 reg_user:root
Apr 17 12:31:52 box su[2553]: (pam_unix) session opened for user root by (uid=1000)
Apr 17 12:40:01 box CRON[3123]: (pam_unix) session opened for user root by (uid=0)
Apr 17 12:40:01 box CRON[3123]: (pam_unix) session closed for user root
```
Now, how do I determine what caused the 'find' command to be run? I'm thinking now it was just a daemon, but a log file somewhere that shows it for sure would be helpful.

(And yes, I am going to change my passwords.)


----------



## Whiteskin (Nov 16, 2002)

Find is run as part of a script to update the locatedb daily by a cron job (locatedb is the database searched by the command locate (as if you couldnt guess). Locate is used to.... locate files (try it: Its very usefull...)

[edit] Oh, and it is run as nobody, because nobody is a very unpriviledged user.


----------

