Here's the story in a nutshell:
Friday evening, I was upgrading gentoo on my laptop. Since its a PII 400/192 MB RAM, I just let it do its work (not logged in as root, used sudo) and I went to bed. Sat morning, I woke up, and found that my user ID had been changed, I could not log in as root, and when I rebooted, I could not login as a normal user either. I used knoppix to find out which files had been altered/deleted/addes, and also checked the logs (esp. /var/log/messages). There was nothing I could find I checked /root, /home/user and /etc folders especially.
Since I had nothing important on the machine, I formatted the drives and installed debian woody. Changed from 'woody' to 'unstable' in /etc/apt/sources.lst' , and did a dist-upgrade AS ROOT. This was just to find out what was going on. Guess what? Same thing happened. I had the same login ID, but different passwords for root and user this thime (though it shoudln't matter in this case, right?)
I tried looking for any files or logs again, but no luck. Unfortunately, since I have to take the laptop to work on Monday, I had to install linux on it again. This time, I tried Slackware, and I haven't logged on to this machine as root or used sudo. The machine seems to be doing fine till now.
My question is:
a.If we consider that gentoo has a bug which caused the user ID to change/passwords to change, how can the same thing happen in debian also? In that case, is the bug related to an application? (I have tried looking at the mailing lists/forums for gentoo, but not debian.)
b. Is it too much of a coincidence that someone broke into my machine twice within a span of 24 hours?
c. What files/logs should I look into/for to find out if my machine has been compromised?
d. Would having a HW firewall/router help?
Thnx,
Civ
Friday evening, I was upgrading gentoo on my laptop. Since its a PII 400/192 MB RAM, I just let it do its work (not logged in as root, used sudo) and I went to bed. Sat morning, I woke up, and found that my user ID had been changed, I could not log in as root, and when I rebooted, I could not login as a normal user either. I used knoppix to find out which files had been altered/deleted/addes, and also checked the logs (esp. /var/log/messages). There was nothing I could find I checked /root, /home/user and /etc folders especially.
Since I had nothing important on the machine, I formatted the drives and installed debian woody. Changed from 'woody' to 'unstable' in /etc/apt/sources.lst' , and did a dist-upgrade AS ROOT. This was just to find out what was going on. Guess what? Same thing happened. I had the same login ID, but different passwords for root and user this thime (though it shoudln't matter in this case, right?)
I tried looking for any files or logs again, but no luck. Unfortunately, since I have to take the laptop to work on Monday, I had to install linux on it again. This time, I tried Slackware, and I haven't logged on to this machine as root or used sudo. The machine seems to be doing fine till now.
My question is:
a.If we consider that gentoo has a bug which caused the user ID to change/passwords to change, how can the same thing happen in debian also? In that case, is the bug related to an application? (I have tried looking at the mailing lists/forums for gentoo, but not debian.)
b. Is it too much of a coincidence that someone broke into my machine twice within a span of 24 hours?
c. What files/logs should I look into/for to find out if my machine has been compromised?
d. Would having a HW firewall/router help?
Thnx,
Civ
Facebook
Twitter