Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Am I hacked?

  1. #1
    Join Date
    Nov 2008
    Beans
    3

    Unhappy Am I hacked?

    I am a UNIX novice but not total noob.

    Something is leeching a ton of banwidth on my ubuntu 13.04 box.

    While researching it I stumbled over a thread from a guy who was hacked and I wound up getting a list of all the users on my system.

    I think this looks very suspicious - can anyone tell me if I'm hacked or not, please?

    I am terry on this list

    root
    daemon
    bin
    sys
    sync
    games
    man
    lp
    mail
    news
    uucp
    proxy
    www-data
    backup
    list
    irc
    gnats
    nobody
    libuuid
    syslog
    messagebus
    avahi-autoipd
    usbmux
    dnsmasq
    whoopsie
    kernoops
    rtkit
    speech-dispatcher
    lightdm
    avahi
    colord
    pulse
    hplip
    saned
    terry
    dhcpd
    guest-yla6m4
    guest-J9XWdv
    guest-bUlUPz
    guest-ajBhyE

  2. #2
    Join Date
    Feb 2008
    Location
    Pelican Bay Correctional
    Beans
    Hidden!

    Re: Tell me the truth, am I hacked?

    Did you create these guest-* accounts?
    I have 3 brain cells left, and two of them have restraining orders.
    Linux is just "DOS on 'steroids"

  3. #3
    Join Date
    Nov 2008
    Beans
    3

    Re: Tell me the truth, am I hacked?

    No. I created terry. The rest just showed up. rtkit looks damn suspicious all by itself.

  4. #4
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    5,742
    Distro
    Xubuntu 15.04 Vivid Vervet

    Re: Tell me the truth, am I hacked?

    rtkit is RealtimeKit. See "man rtkitctl". I don't think that's a problem.

    If you want to see what's using the internet, probably these commands will help:
    Code:
    sudo netstat -tup
    sudo lsof -i

  5. #5
    Join Date
    Feb 2008
    Location
    Pelican Bay Correctional
    Beans
    Hidden!

    Re: Tell me the truth, am I hacked?

    how about using the last command on each of the guest-* accounts and see if they have logged in?

    I agree is it alarming and you would do well to be prepared for counter-measure of the re-install kind if you cannot find the method of entry.
    I have 3 brain cells left, and two of them have restraining orders.
    Linux is just "DOS on 'steroids"

  6. #6
    Join Date
    Jan 2009
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Tell me the truth, am I hacked?

    Quote Originally Posted by Habitual View Post
    how about using the last command on each of the guest-* accounts and see if they have logged in?

    I agree is it alarming and you would do well to be prepared for counter-measure of the re-install kind if you cannot find the method of entry.
    +1

    Have you examined /var/log/auth.log?

  7. #7
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Tell me the truth, am I hacked?

    Those guest accounts are created automagically when you log into that account. They should be removed when you reboot the system.

  8. #8
    Join Date
    Feb 2008
    Location
    Pelican Bay Correctional
    Beans
    Hidden!

    Re: Tell me the truth, am I hacked?

    I never thought about the "guest" feature of the Ubuntu OS. My bad.
    I have 3 brain cells left, and two of them have restraining orders.
    Linux is just "DOS on 'steroids"

  9. #9
    Join Date
    Nov 2010
    Location
    India
    Beans
    4,840
    Distro
    Ubuntu Development Release

    Re: Tell me the truth, am I hacked?

    okay , can you post output of

    ac -p
    you can see , all the users and their total active time. so that you can see the blackhat account.
    Google First your issue , if no solution then ask.

    రాజ శేఖర్ రెడ్డి

  10. #10
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    707
    Distro
    Ubuntu

    Re: Tell me the truth, am I hacked?

    I would focus on network traffic in your instance. If something is eating up bandwidth then start with
    Code:
    top
    and see what processes are using lots of cpus. You could try to run
    Code:
    sudo netstat -npta
    on the suspect computer, but it's best to watch network traffic from another machine using tcpdump or Wireshark.


    When you have a process name from top then Google it to determine if it's legit. Then you can determine if it's a hacker or if it's some process that has gone wrong.
    "If somebody thinks they're a hedgehog, presumably you just give 'em a mirror and a few pictures of hedgehogs and tell them to sort it out for themselves."
    Douglas Adams

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •