Re: [PLUG] Hacked linux server

[epike@isinet.com]

Were in a similar situation last year on a friend's home
computer on cable ... hacked just within 2 days of install.

we were trying to look at the logs at /var/log/messages,
/var/log/secure, /var/log/xferlog, etc...but we couldn't
find it!  he's erased the _entire_ var directory.

we were able to view his last activities by the root 
SHELL HISTORY..apparently there were still some left
in the command buffer after he nuked the filesystems (left in
the buffer so his last 5 or so commands were "pico",
"rm -r" and some such.  after comparing with a reference
install we figured he got in by a patched /bin/login
and got that in by wu-ftpd...

so anyhow I guess this wouldnt help you much...anyway just 
in case maybe he still has some trace in  .bash_history

Also I started configuring TRIPWIRE after that...won't
really stop it, but its a great intrusion detector.

JondZ


> 
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_001_01C19E15.6A6154F0
> Content-Type: text/plain
> 
> So, I run a RedHat Linux 7.1 server for our Web, FTP and DNS services.
> I've got each of those ports open through our firewall, in addition to
> SSH for me to manage it.  I was having some problems the other day and
> rebooted it (yes, the Windows mentality).  It failed to come up cleanly.
> I found later when I logged in, the commands netstat, ls, and ps were
> not working at all.  Grabbed copies from another 7.1 server and found
> bizarre things on my system.  Went for the chkrootkit floppy and found
> that I had been hit by something.  Now I've got some questions (and a
> lot of work ahead of me).


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug