[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[K12OSN] I got hacked.........

It would appear that someone used SSH to get into my system.  I decided to 
install sshd and stop telnet'ing because of the security risk, as soon as I do 
it, someone got in.

Anyhow, here is what I suspect so far:

1. when they got in, they created the user "cgi"
2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's 
.bash_profile.  This casused root to not save the history so I couldn't see 
what was run as root.
3. logging is not happening.  I have checked my log files and the last entries 
are about the time I first detected the break in. 

So my questions are:

Did I do right by deleting the cgi user?  Was this user necessary?
How do I turn on logging back on?  I have no idea where to look.
What is a good/quick way to tell which users have no password set?

Thank you,

Michael Cortes
Fort LeBoeuf School District
34 East 9th Street
PO Box 810
Waterford PA 16411-0810
Fax1 814.796.3358
Fax2 978-389-1258

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]