[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] I got hacked.........



Michael,

Cleaning up after a break-in is very difficult.  They've
probably replaced many of the utilities that you are using
to look around.  Things like ps, netstat, ls, ifconfig,
lsmod and many more are probably NOT the original versions.
They replace them, to hide processes that may be running.
Those processes are probably logging your keystrokes
or sniffing your network and finding passwords.

Time to buy another hard disk, and reload Linux on it.

Then, take the disk that has the comprimized OS on it, and
mount that as an additional filesystem, so you can go looking
around and learn what they've done.

Make sure you stay current with patches on the new disk, to 
prevent another break-in.


Jim McQuillan
jam Ltsp org

On Tue, 9 Apr 2002, Michael Cortes wrote:

> It would appear that someone used SSH to get into my system.  I decided to 
> install sshd and stop telnet'ing because of the security risk, as soon as I do 
> it, someone got in.
> 
> Anyhow, here is what I suspect so far:
> 
> 1. when they got in, they created the user "cgi"
> 2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's 
> .bash_profile.  This casused root to not save the history so I couldn't see 
> what was run as root.
> 3. logging is not happening.  I have checked my log files and the last entries 
> are about the time I first detected the break in. 
> 
> So my questions are:
> 
> Did I do right by deleting the cgi user?  Was this user necessary?
> How do I turn on logging back on?  I have no idea where to look.
> What is a good/quick way to tell which users have no password set?
> 
> Thank you,
> 
> 
> 
> 
> Michael Cortes
> Fort LeBoeuf School District
> 34 East 9th Street
> PO Box 810
> Waterford PA 16411-0810
> 814.796.4795
> Fax1 814.796.3358
> Fax2 978-389-1258
> 
> 
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 

-- 





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]