Did I get hacked?

The entire contents of my /home/grant/vmware folder have suddenly
disappeared.  I haven't noticed anything else strange yet.  I did
configure and start shorewall for the first time yesterday instead of
using a few iptables commands from the Gentoo Home Router Guide, and
I'm running PenguinTV (a video RSS aggregator with an ebuild in
bugs.gentoo.org) and transmission (a bittorrent client in portage) for
the first time.  My shorewall config is here:

http://archives.gentoo.org/gentoo-user/msg_108375.xml

What should I do next?

- Grant

El Domingo, 11 de Febrero de 2007 20:43, Grant escribió:
Errr....actually if a folder dissapear it doesn't mean you have been hacked,
not at all.
Have you seen at the logs, systems logs, "lastuser", services logs such as
apache or ssh ones?
Any proof of rootkits?
IMHO you're going to far with this...

--
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

Check the hardware:
First the ram: www.memtest86.org
And the Hard Disk, the web of the manufacturer should have software to
test it.

En/na Grant ha escrit:

On Sunday 11 February 2007 11:43, Grant wrote: Not nearly enough info for anyone to make a call on wether you got hacked. You
might bear in mind that 99% of the time, this sort of thing is the result of
an accidental 'rm'. What you should probably do next is look at your shell
history file to see if that might be the case.

If nothing turns up, check your system logs, etc. Consider this as a good
reason to run some sort of host intrusion detection system. You might even
consider writing a rudimentary HIDS yourself.

Doing the research required to do anything like a good job of it will teach
you a lot about what to look for in the future. No offense meant, but you
won't get far into a project like that before you realize that you haven't
given anyone *nearly* enough information to answer the question, "Did I get
hacked?"

Someone with the *exact* same system configuration might be able to answer
your question (most probably if they've been hacked, and can prove it) but
that's pretty unlikely. Gentoo isn't that popular (nothing against it, for
you Gentoo folk, but it really does have minor market share compared to, say,
Ubuntu, Debian, Fedora, or RH).

So you're asking a very generic question, usually immediately assignable to
operator error, about a somewhat specialized distro, with a very specific
loadout.

I wish you well, but that's going to be tough question to get a good answer
to. OTOH, maybe a few Gentoo aficionados will be pissed at my response,
research the problem within an inch of it's life, and come up with an
immediate answer, just to prove me wrong. That would fix you up nicely, and I
hope it happens. I'm just a bit doubtful.

... ciao:

: on "2-11-2007" "Grant" writ:
: my /home/grant/vmware folder have suddenly disappeared.
: I haven't noticed anything else strange yet.
: configure and start shorewall for the first time yesterday
: using a few iptables commands from the Gentoo Home Router Guide, and

    i read that, and suspect you rushed into something before you were
prepared for the challenges it preesents.  installing a firewall "after"
something goes "WRONG" is not likely to be much help.

    "haven't noticed", begs a question about what you chose to inspect in
search of an answer.  that is important, but doesn't matter. unless you
can say with absolute confidence that you haven't been compromised, you'd
be "smart" to assume you have.

    were it me, i'd rebuild the system, and install the firewall before
exposing the system to the internet.

    finally, i recall having read something about codecs that were
problematic, and if memory serves, allowed arbitrary code execution ...


--
... i'm a man, but i can change,
    if i have to , i guess ...

Are you sure you didn't have the 'vmware' directory as a mount point  
for a secondary hard drive/partition?  If the drive/partition didn't  
mount properly it would appear to have 'disappeared' until you mount it.


On Feb 11, 2007, at 1:43 PM, Grant wrote:

On Sunday 11 February 2007 21:43, Grant wrote:
> The entire contents of my /home/grant/vmware folder have suddenly
> disappeared.

I've noticed that invoking vmware-console inadvertently creates an
empty "vmware" folder in my home directory.

Perhaps you've been bitten by this bug?

-A