My computer may have been compromised, what should I do?
A few weeks ago, my machine (lets call it "main") was logged into wirelessly from an unauthorized host, probably using ssh. I did not detect the intrusion until a few days ago, and my machine is completely shut down. I found the login using this line from last:
myusername pts/1 ipad Tue Oct 15 22:23 - 22:25 (00:02)
Needless to say, not only does no one in my family own an iPad, but almost none of my friends do, either. This makes me suspect that whoever was behind this changed the hostname of their machine.
Additionally, I discovered this line in the last output on another machine of mine ("secondary"):
myusername pts/2 :0 Tue Oct 15 22:23 - 22:23 (00:00)
This line coincides with the timestamp from main, which has password-less ssh access (through keys) to secondary. Is it possible that whoever broke in to main has also rooted secondary? How can I prevent this from happening again? Are there logs that I can look through to determine exactly how main was accessed (I am the only user on the system and have a very strong password)? Is it at all possible that this is just a weird bug that occurred? Should I, and where should I start looking for rootkits and/or keyloggers?
In short, what should I do?
As for the possible hard disk hack:
- Re-flash your BIOS
- Buy a new, minimal USB stick. Boot from that.
- Use full-disk encryption for
/. - The usual "change all logins" routine.
That should cover any possible hard disk exploit scenario.
What really worries me though, are the Anti-theft and Management features added to several recent motherboards. Some hardware vendors have the option of allowing the user to permanently disable these features while some... do not.
I recommend you check whether your motherboard has these remote management features and (if possible) if they have been activated. Imagine if the remote attacker got his hands on hardware based remote management capability...