was i hacked

[Jonathan Ellis]

Uday wrote:
> What happened exactly was like this : On the 1st of May when I connected to
> the box thru SSH form my home it gave me the bash prompt instead of my usual
> hostname prompt.  Second there were no files in /var/log.  Next I reboot the
> comp and even my sshd on the server did not start and I had to rush to
> location physically.
> 1. WAS I HACKED? IF YES HOW DO I KNOW WHICH WAY THE HACKER GOT IN?

Sounds like it.  It should be obvious though that doing a post mortem on 
a system where you did no advance prep (such as having syslog write to 
another machine) and the guy intended to cover his tracks isn't likely 
to turn much up.

> 2. After restoring the sendmail does not write logs to /var/log/maillog
> (though it is functioning) and similarly many log files boot.log, cron,
> messages, secure, spooler, are 0 bytes - The system is not writing logs to
> this file HOW? WHY?

probably just be a permissionings thing.  But, there are things called 
"root kits" where the normal utilities are replaced with versions that 
hide the presence of the kit but leave your system wide open.  You 
should wipe the install and start from scratch rather than trusting 
anything left behind.

-Jonathan