RE: Have I been hacked?
Thanks everyone for your help.
It must be his computer as all the computers I usually log in from are all
fine. I am still quite new to all of this but we all have to start somewhere
:)
Cheers,
ijg0
>===== Original Message From "Hobbs, Richard" <hobbs@mongeese.co.uk> =====
>Hello,
>
>The SSH error is usually caused by the SSH server (your machine) being
>reformatted, or having SSH uninstalled and reinstalled, or have the
>public/private keys regenerated for some reason. have you recently made any
>changes to SSH, or reinstalled your system??
>
>It could also happen if he has been making changes to his
"~/.ssh/known_hosts" file.
>
>HTH...
>
>Richard.
>
>
>Quoting Ian Goodall <ijg@iangoodall.co.uk>:
>
>> Thanks for your help Guys.
>>
>> It now says this:
>>
>> > wtmp begins Wed May 7 13:21:47 2003
>>
>> I think that is what had happened. I am new to this and this just looked
>> dodgy to me!
>>
>> A friend also has ssh shell access to the box and got the following error
>> message when connecting to the same my box:
>>
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>
>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>>
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>
>> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>>
>> It is also possible that the RSA host key has just been changed.
>>
>> The fingerprint for the RSA key sent by the remote host is
>>
>> 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d.
>>
>> Please contact your system administrator.
>>
>> I don't get this from any other computers so is this just his computer?
>>
>> Thanks
>>
>> ----- Original Message -----
>> From: "Eric LeBlanc" <inouk@igt.net>
>> To: "Ian Goodall" <ijg@iangoodall.co.uk>
>> Cc: <debian-security@lists.debian.org>
>> Sent: Wednesday, May 07, 2003 3:23 PM
>> Subject: Re: Have I been hacked?
>>
>>
>> >
>> > Check if your program have rotated the logs...
>> >
>> > cd /var/log
>> >
>> > ls -l wtmp*
>> >
>> > and, check in /etc/cron* or do a crontab -l (in user root)
>> >
>> >
>> > E.
>> > --
>> > Eric LeBlanc
>> > inouk@igt.net
>> > --------------------------------------------------
>> > UNIX is user friendly.
>> > It's just selective about who its friends are.
>> > ==================================================
>> >
>> > On Wed, 7 May 2003, Ian Goodall wrote:
>> >
>> > > I am running a debian woody server and when I checked the last users
>> > > yesterday I a large number of logins in the list. On running the
command
>> > > today I get the following:
>> > >
>> > > dev1:/home/ian# last
>> > > ian pts/0 172.16.3.195 Wed May 7 14:49 still logged
>> in
>> > > team1 pts/0 blue99.ex.ac.uk Wed May 7 13:21 - 13:57
(00:35)
>> > >
>> > > I have run chkrootkit but nothing was found.
>> > >
>> > > I have never had this before. Am I being paranoid or is someone trying
>> to
>> > > cover up their tracks?
>> > >
>> > > Thanks
>> > >
>> > > ijg0
>> > >
>> > >
>> > >
>> > > --
>> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
>> > > with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>> > >
>> >
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>>
>>
>
>
>--
>Richard Hobbs
>hobbs@mongeese.co.uk
>http://mongeese.co.uk | http://unixforum.co.uk
>
>"There's only one way of life, and that's your own" - The Levellers
>
>_____________________________________________________
>Send all your jokes to jokes@fishsponge.co.uk !!
>To subscribe, email: jokes-subscribe@fishsponge.co.uk
----------------------
Ian Goodall
www.iangoodall.co.uk
Reply to: