Have I been pwned?
Today, I noticed a few weird things.
Anyway, when I did top, I found modprobe running which was taking up a lot
of cpu time. So, I did a killall modprobe and cron emailed me (locally)
with the subject line "Cron <root@fatcat> /sbin/service portsentry restart[color=blue]
>/dev/null && /sbin/service iptables restart >/dev/null"[/color]
and the email body was ..
/etc/init.d/iptables: line 318: 3770 Terminated modprobe -r
$mod >/dev/null 2>&1
Now, that command modprobe -r $mod >/dev/null, was that trying to remove
all the kernel modules into oblivion?
What does the 2>&1 bit at the end do?
Also, all my iptables rules were flushed and when I checked back a few
minutes later I couldn't run iptables at all. I'm now running again, all
passwords changed and everything seems normal. Last night I had some scans
and probes to ports 1023-1026 and port 1337 which I have now set iptables
to DROP. /var/log/secure is empty too.
Is there anything I can do to detect intruders, or trace their meddlings?
I'm running of course, iptables and portsentry. What else should I get?
Many thanks for your input on my varied and many questions :)
-----BEGIN GEEK CODE BLOCK-----
d+ s-:+ a C++++ L++ E--- W++ N++ w-- PE- t* 5++ R+ !tv D+ G e* h---- x?
------END GEEK CODE BLOCK------
Registered Linux User #359623