[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] I got hacked.........


'Best practices' dictates that your format and reinstall the box. Backup important data and config files first, of course.

In my experience, trying to kick a hacker off a box once it has been rooted is risky at best. I've done it _once_ successfully, and a couple of times unsuccessfully. ;-)

Have fun.


Michael Cortes wrote:
It would appear that someone used SSH to get into my system. I decided to install sshd and stop telnet'ing because of the security risk, as soon as I do it, someone got in.

Anyhow, here is what I suspect so far:

1. when they got in, they created the user "cgi"
2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's .bash_profile. This casused root to not save the history so I couldn't see what was run as root.
3. logging is not happening. I have checked my log files and the last entries are about the time I first detected the break in.

So my questions are:

Did I do right by deleting the cgi user?  Was this user necessary?
How do I turn on logging back on?  I have no idea where to look.
What is a good/quick way to tell which users have no password set?

Thank you,

Michael Cortes Fort LeBoeuf School District 34 East 9th Street PO Box 810 Waterford PA 16411-0810 814.796.4795 Fax1 814.796.3358 Fax2 978-389-1258

K12OSN mailing list
K12OSN redhat com
For more info see <http://www.k12os.org>

David L. Parsley
Network Administrator, Roanoke College
"If I have seen further it is by standing on ye shoulders of Giants."
--Isaac Newton

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]