Thanks for your help Guys. It now says this:
> wtmp begins Wed May 7 13:21:47 2003 I think that is what had happened. I am new to this and this just looked dodgy to me! A friend also has ssh shell access to the box and got the following error message when connecting to the same my box: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. Please contact your system administrator. I don't get this from any other computers so is this just his computer? Thanks ----- Original Message ----- From: "Eric LeBlanc" <[EMAIL PROTECTED]> To: "Ian Goodall" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Wednesday, May 07, 2003 3:23 PM Subject: Re: Have I been hacked? > > Check if your program have rotated the logs... > > cd /var/log > > ls -l wtmp* > > and, check in /etc/cron* or do a crontab -l (in user root) > > > E. > -- > Eric LeBlanc > [EMAIL PROTECTED] > -------------------------------------------------- > UNIX is user friendly. > It's just selective about who its friends are. > ================================================== > > On Wed, 7 May 2003, Ian Goodall wrote: > > > I am running a debian woody server and when I checked the last users > > yesterday I a large number of logins in the list. On running the command > > today I get the following: > > > > dev1:/home/ian# last > > ian pts/0 172.16.3.195 Wed May 7 14:49 still logged in > > team1 pts/0 blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > > > I have run chkrootkit but nothing was found. > > > > I have never had this before. Am I being paranoid or is someone trying to > > cover up their tracks? > > > > Thanks > > > > ijg0 > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
