Getting a bad feeling in the pit of my stomach, I booted my Shuttle to take a look. Maybe someone has pierced the WPA encryption on my wireless link -- I have left the airport configured to advertise its SSID, as this really simplifies network config and troubleshooting. Logging into my Airport admin program, I found that no one was using the wireless -- i didn't have anyone registered for DHCP or any client MAC addresses. So someone might have figured out the WPA password, but I doubt they also could have faked the configs. Then I remembered, I recently restarted my old linux server in preparation of upgrading its hard drive. Uh-oh.
Logging into the server brought instant and curious results: a quick
whocommand said that both I and Brian were logged in. This wasn't impossible (Brian has a login to the machine that I gave him a year or two ago), but what was telling was that brian appeared to be logged in from somewhere in the .ro domain -- Romania. Knowing that Brian hasn't been out of Columbus, Ohio in years (except on his visits here), I was suspicious. Not taking any chances, I employed standard operating procedure for a compromised machine -- I pulled the power cord.
After I had located my KNOPPIX CD that Brian had given me, I went to work finding out how my Romanian friend has gotten in. After mounting the home and root partitions, I checked the logs.
/var/logs/messagesdidn't really have anything of use, but
/var/logs/securedefinately did -- I had a rash of unsuccessful ssh logins (for mostly daemon accounts), all starting about 5 AM this morning. Apparently, my Romanian friend was using a dictionary attack to find poorly password protected accounts. And he had found one -- I think Brian's account password was "brian" when I set it up. Now that I had found out how he had gotten in, I went about surveying damage. A quick
findcommand (looking for files modified in the past day) turned up some new directories and files in the
/tmpdirectory. Going into the directory, I found a standard toolkit of dictionary attack tools and irc bot binaries. This is almost identical to the write-up in this Honeypot break-in. It looks like I was dealing with a script kiddies -- he hadn't erased his tracks nor started to compromise other machines on my network. In fact, I don't think he even got root access for the server. However, it will really be impossible to know exactly since pulling the plug on the server killed some of the evidence in the log files.
Long story short, I am now in the process of completely reinstalling the machine. Unfortunately, it only has 64 MB of RAM so I think my choices are kinda limited -- maybe some cut down linux distro will work.