My computer may have been compromised, what should I do?
- by InkBlend
A few weeks ago, my machine (lets call it "main") was logged into wirelessly from an unauthorized host, probably using ssh. I did not detect the intrusion until a few days ago, and my machine is completely shut down. I found the login using this line from last:
myusername pts/1 ipad Tue Oct 15 22:23 - 22:25 (00:02)
Needless to say, not only does no one in my family own an iPad, but almost none of my friends do, either. This makes me suspect that whoever was behind this changed the hostname of their machine.
Additionally, I discovered this line in the last output on another machine of mine ("secondary"):
myusername pts/2 :0 Tue Oct 15 22:23 - 22:23 (00:00)
This line coincides with the timestamp from main, which has password-less ssh access (through keys) to secondary. Is it possible that whoever broke in to main has also rooted secondary? How can I prevent this from happening again? Are there logs that I can look through to determine exactly how main was accessed (I am the only user on the system and have a very strong password)? Is it at all possible that this is just a weird bug that occurred? Should I, and where should I start looking for rootkits and/or keyloggers?
In short, what should I do?