Two process named gksu and two process named su-to-root appeared on my system monitor, is my computer owned? How can I be sure, and if this true, how can I rip out the intruder without full system reinstall?
Where and which logs I should check, and looking exactly for what?
I use Firestarter, but events logger appear empty(?)... what is another bad sign...
Thanks so much for any help.
Ubuntu 11.10
EDIT:
I forgot to mention a SH process running too
My 50-default.conf
....
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
m ail.* -/var/log/mail.log
#user.* -/var/log/user.log
...
AND THE PROCESS SH KEEPS REBORNING!!
I'll put my last comment as an answer:
Unless we're talking about a server with a static IP-address which is visible form internet, in most cases people connect to internet via an ADSL modem (either via wi-fi or with a LAN cable). In this case it is the modem which will have an "external" IP-address, your computer will have a "local" address like 10.1.1.1 etc. In this case it's impossible to connect to your computer from the outside world unless you configured your modem to forward certain types of packets to a certain address in your internal network.
So, unless you have a "real" IP-address, the only practical possibility to get "owned" is to download something yourself, start it and give it your root password. Or, less likely, to visit a malicious website which would exploit a not-yet-pached vulnerability in your web browser, browser plugin or something.
So I think in this case the processes you saw was Firestarter asking you for your password.
Regarding the problem with Firestarter not writing logs - please have a look at this question