Re: Somebody is hacking me; what to do?

12 Nov 1999 22:39:33 -0000 

On Fri, Nov 12, 1999 at 09:22:54PM +0200, Daniel Mashao wrote:
> I am getting emails from some fool saying 
>       Ifwewerehackerswedownyourdumbass
> which means "If we were hackers we down your dumb ass"
>[...]
> Any advice for me?

Physically diconnent the box from the network.  Reinstall all the
binaries that are supposed to be there from CDROM, and seriously
consider deleting any executable that can't be traced to a Debian
package and that you don't remember installing.  One way to do this
would be "find / -type f -perm +111 -exec dpkg --search {} \;" --
files that belong to a package will be printed like:

        bash: /bin/rbash
    [package] [filename]

and ones which don't will get something like:

        dpkg: /bin/getopt not found
        
Remove any suspicious looking accounts from /etc/passwd and
/etc/shadow along with any files owned by those accounts, and make
sure all that remain either have a password or an asterisk in the
second field of the shadow password file.

Edit all unecessary/mysterious services out of /etc/inetd.conf.
Change all your passwords.

Reboot the machine.  Consider setting up a tight firewall with
either ipfwadm or ipchains (for kernels 2.0.* and 2.2.*,
respectively).

I'm probably forgeting lots of things.

> Any boffins out there may want to know that the loggins seems to come from
> 195.146.109.166. When I telnet this address I just get logged in. 

------------------------------------------------
barf=>~% whois -h whois.ripe.net 195.146.109.166

% Rights restricted by copyright. See
% http://www.ripe.net/db/dbcopyright.html

inetnum:     195.146.109.128 - 195.146.109.255
netname:     ISS-NET
descr:       ISS Computers s.r.o.
descr:       Usti nad Orlici
country:     CZ
admin-c:     VM140-RIPE
tech-c:      VM140-RIPE
status:      ASSIGNED PA
changed:     [EMAIL PROTECTED] 19990604
source:      RIPE

route:       195.146.96.0/19
descr:       Aggregate for CZ-MOPOS-970908
origin:      AS6740
mnt-by:      CZCOM-MNT
changed:     [EMAIL PROTECTED] 19990125
source:      RIPE

person:      Viktor Mutinsky
address:     ISS Computers s.r.o.
address:     Csl. armady 1181
address:     Usti nas Orlici
address:     562 15
address:     The Czech Republic
phone:       +420 465 523769
fax-no:      +420 465 523769
nic-hdl:     VM140-RIPE
changed:     [EMAIL PROTECTED] 19970802
source:      RIPE
------------------------------------------------

You might want try talking to [EMAIL PROTECTED] or
[EMAIL PROTECTED] the IP could have been forged.

Good luck,
-Kevin

Reply via email to