All of the sudden one day, we weren't connected to DSL. PPP0 wasn't coming up because it said there were missing config files. Although the files WERE there.

I run telnet and ftp on my machine. I looked at the logs, and there were 3 different IP addresses that used telnet on my machine, that I had NEVER seen before. Not one of my machines, or any other I know. And in sendmail, there were attempts to send messages to some yahoo mail address. I could see things that weren't sent, like the output of configuration programs, as if someone was trying to mail themself the information about my system.

I was unable to get ppp0 to come back up, so ended up reinstalling. Does this sound like I've been hacked?

to me, sorta, but I've never used it before. What user was logged in over telnet? and you might have been able to check a .bash_history and seen if anything showed up there.

However, It probably was a script kiddie if anything, because from what you are saying, the logs weren't cleaned at all.

Possibly. What I would do is to check my distribution's website and see if there are any security alerts that have been recently posted. If you find that one of the programs you're running is under that list, then it may have been the problem. It's hard to say for sure without further examination. You did the right thing by reinstalling though. You never know what else was changed unless you run something like tripwire.

Often a hacker will put a "root kit" on a machine that he has broken into. The root kit will create a hidden account for him and will generally replace the system admin tools with trojaned versions. This will cause commands like ps, or ls, or netstat to give false output (to hide his tracks). If you think a system has been compromised, you should check for the existance of a root kit.

There are several programs for detecting root kits. Do a google search for "detect rootkit", find something you trust, install it, and run it.

it is odd. if it does turn out that you have been hacked, doa reverse lookup on the ip numbers and report them to the isp.

it is odd. if it does turn out that you have been hacked, doa reverse lookup on the ip numbers and report them to the isp.
if he's any good at hacking that won't be his real ip. he could have spoofed packets or bounced his ip off of several systems before even reaching yours. althouigh most shell accounts don't allow outgoing connections such as telnet or ssh. anyway, my point being don't rely on a visual route or reverse dns lookup because chances are you are only going to be able to trace it back to the last ip mask before he hit your system. If your really intent on getting back at this guy then go ahead because it's possible to trace it back but like I said, if the guy is any good it will be extremely difficult.

Originally posted by DrFrankenstein
if he's any good at hacking that won't be his real ip. he could have spoofed packets or bounced his ip off of several systems before even reaching yours. Right, but i thought that if he was any good, that he would delete the logs as well. So that there were no reasons to suspect being hacked. but alas, I dunno. Never been knowingly hacked before personally.

Chkrootkit V. 0.38

This program locally checks for signs of a rootkit.
chkrootkit is available at: http://www.chkrootkit.org/

What strikes me as odd is why, if you were hacked why would the attacker kill your dsl setup, my only thought is that it was an accident. If it was an accident then the attacker probably isn't skilled and you could prevent this in the future, 1) Use ssh instead of telnet, telnet has been hacked so many times it just dangerous to use. 2) Watch new vulnerablities of the programs and services you run. 3) Install tripwire, even if you don't detect the attack and initial comprimise of the system tripwire will alert you before the attacker can do any real damage to your system or network. 4) Install a decent firewall and block any ports serving to the internet except what you need (http,telnet or ssh, ftp). 5) Setup good permissions esp. on critical directorys, /var/log and any dir with system critical programs and users and groups. I stress the permissions despite the fact most exploits and found vulnerabilities target gaining root if a attacker gets a low level account he/she may be able gain root at some point. Remember give a attacker an ince and they will gain a mile.
6) If all else fails and you suspect you've been hacked download and install a packet sniffer and and sniff you computer's traffic don't do anything online just let the sniffer sniff and look at the traffic if the attacker is on your system you should see action coming from you computer. On that thought you may beable to discover the gain the attacker's real ip, most attackers aren't smart and after they secure their presence on your system they will connect from their system with no man in the middle then try DrFrankenstein's advice. Also take JohnT's advice on Chkrootkit.
Wow that was a long post, or atleast it seemed long ;) . Cheers