[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] I got hacked.........

Also, its very likely that your system was compromised before you decided
to disable telnet rather than implying that ssh was the cause of the

Regardless, I would pull the machine from the network and reload to a new
drive.  You can mount the old drive in another system off the network
later to try and figure out what happened.  Definately disable telnet
before putting the new install back on your network.  Also, is your LTSP
box directly accessible via the internet?  If so, you may want to
investigate a firewall (be it a commercial product, or a linux or BSD
box).  My personal preference for a custom firewall is OpenBSD.

As Jim pointed out, nearly all of the utilities that you would use to look
around on the current system have likely been compromised.  Also, it's
very likely that other machines on your network have been compromised if
this one has been for any length of time (and potentially sniffing your
network traffic).

Definately reload from scratch rather than from backup, as you've likely
been backing up your compromised system for a while.  Finding a known good
backup may be difficult (unless you've got a backup from before the
machine was put on the network).

There are some other things you can look at to help prevent, or at least
notify you, when you get hacked.  Tripwire (www.tripwire.org) may be worth
a look.

There are some fairly good books on the topic, a quick search on
amazon.com would probably prove helpful.


On Tue, 9 Apr 2002 jam McQuil com wrote:

> Michael,
> Cleaning up after a break-in is very difficult.  They've
> probably replaced many of the utilities that you are using
> to look around.  Things like ps, netstat, ls, ifconfig,
> lsmod and many more are probably NOT the original versions.
> They replace them, to hide processes that may be running.
> Those processes are probably logging your keystrokes
> or sniffing your network and finding passwords.
> Time to buy another hard disk, and reload Linux on it.
> Then, take the disk that has the comprimized OS on it, and
> mount that as an additional filesystem, so you can go looking
> around and learn what they've done.
> Make sure you stay current with patches on the new disk, to
> prevent another break-in.
> Jim McQuillan
> jam Ltsp org
> On Tue, 9 Apr 2002, Michael Cortes wrote:
> > It would appear that someone used SSH to get into my system.  I decided to
> > install sshd and stop telnet'ing because of the security risk, as soon as I do
> > it, someone got in.
> >
> > Anyhow, here is what I suspect so far:
> >
> > 1. when they got in, they created the user "cgi"
> > 2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's
> > .bash_profile.  This casused root to not save the history so I couldn't see
> > what was run as root.
> > 3. logging is not happening.  I have checked my log files and the last entries
> > are about the time I first detected the break in.
> >
> > So my questions are:
> >
> > Did I do right by deleting the cgi user?  Was this user necessary?
> > How do I turn on logging back on?  I have no idea where to look.
> > What is a good/quick way to tell which users have no password set?
> >
> > Thank you,
> >
> >
> >
> >
> > Michael Cortes
> > Fort LeBoeuf School District
> > 34 East 9th Street
> > PO Box 810
> > Waterford PA 16411-0810
> > 814.796.4795
> > Fax1 814.796.3358
> > Fax2 978-389-1258
> >
> >
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN redhat com
> > https://listman.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]