Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Am I hacked?

  1. #1
    Join Date
    Nov 2008
    Beans
    3

    Unhappy Am I hacked?

    I am a UNIX novice but not total noob.

    Something is leeching a ton of banwidth on my ubuntu 13.04 box.

    While researching it I stumbled over a thread from a guy who was hacked and I wound up getting a list of all the users on my system.

    I think this looks very suspicious - can anyone tell me if I'm hacked or not, please?

    I am terry on this list

    root
    daemon
    bin
    sys
    sync
    games
    man
    lp
    mail
    news
    uucp
    proxy
    www-data
    backup
    list
    irc
    gnats
    nobody
    libuuid
    syslog
    messagebus
    avahi-autoipd
    usbmux
    dnsmasq
    whoopsie
    kernoops
    rtkit
    speech-dispatcher
    lightdm
    avahi
    colord
    pulse
    hplip
    saned
    terry
    dhcpd
    guest-yla6m4
    guest-J9XWdv
    guest-bUlUPz
    guest-ajBhyE

  2. #2
    Join Date
    Feb 2008
    Beans
    Hidden!

    Re: Tell me the truth, am I hacked?

    Did you create these guest-* accounts?
    DorkBlog

    If you want something you've never had, then you must do things you've never done.
    Tools every shell scripter should have, explainshell, shellcheck, and crontab sandbox.

  3. #3
    Join Date
    Nov 2008
    Beans
    3

    Re: Tell me the truth, am I hacked?

    No. I created terry. The rest just showed up. rtkit looks damn suspicious all by itself.

  4. #4
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    5,307
    Distro
    Xubuntu 13.10 Saucy Salamander

    Re: Tell me the truth, am I hacked?

    rtkit is RealtimeKit. See "man rtkitctl". I don't think that's a problem.

    If you want to see what's using the internet, probably these commands will help:
    Code:
    sudo netstat -tup
    sudo lsof -i

  5. #5
    Join Date
    Feb 2008
    Beans
    Hidden!

    Re: Tell me the truth, am I hacked?

    how about using the last command on each of the guest-* accounts and see if they have logged in?

    I agree is it alarming and you would do well to be prepared for counter-measure of the re-install kind if you cannot find the method of entry.
    DorkBlog

    If you want something you've never had, then you must do things you've never done.
    Tools every shell scripter should have, explainshell, shellcheck, and crontab sandbox.

  6. #6
    Join Date
    Jan 2009
    Beans
    3,964
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: Tell me the truth, am I hacked?

    Quote Originally Posted by Habitual View Post
    how about using the last command on each of the guest-* accounts and see if they have logged in?

    I agree is it alarming and you would do well to be prepared for counter-measure of the re-install kind if you cannot find the method of entry.
    +1

    Have you examined /var/log/auth.log?

  7. #7
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Tell me the truth, am I hacked?

    Those guest accounts are created automagically when you log into that account. They should be removed when you reboot the system.

  8. #8
    Join Date
    Feb 2008
    Beans
    Hidden!

    Re: Tell me the truth, am I hacked?

    I never thought about the "guest" feature of the Ubuntu OS. My bad.
    DorkBlog

    If you want something you've never had, then you must do things you've never done.
    Tools every shell scripter should have, explainshell, shellcheck, and crontab sandbox.

  9. #9
    Join Date
    Nov 2010
    Location
    India
    Beans
    4,821
    Distro
    Ubuntu Development Release

    Re: Tell me the truth, am I hacked?

    okay , can you post output of

    ac -p
    you can see , all the users and their total active time. so that you can see the blackhat account.
    Raja

    రాజ శేఖర్ రెడ్డి

  10. #10
    Join Date
    Nov 2013
    Beans
    257

    Re: Tell me the truth, am I hacked?

    I would focus on network traffic in your instance. If something is eating up bandwidth then start with
    Code:
    top
    and see what processes are using lots of cpus. You could try to run
    Code:
    sudo netstat -npta
    on the suspect computer, but it's best to watch network traffic from another machine using tcpdump or Wireshark.


    When you have a process name from top then Google it to determine if it's legit. Then you can determine if it's a hacker or if it's some process that has gone wrong.
    "Everything not saved will be lost."
    Ancient Japanese Proverb originating from the omnipotent Nintendo "Quit Screen" message

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •