IIRC, he's intentionally leaving the box connected as he is looking for more
information on the people that did it.
Jamin W. Collins
-----Original Message-----
From: Jason Costomiris [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 21, 2000 6:15 AM
To: [EMAIL PROTECTED]
Subject: Re: More hacked server questions
On Wed, Sep 20, 2000 at 02:07:45PM -0500, Kerry Miller wrote:
: I've been tinkering with that server a little, got the logging working (at
: least partially) and have gotten a lot of interesting IP addresses in the
: log. I'm tightening it up to stop them from hacking other people's
systems
: with it, and I don't even begin to know where to look for any software
they
: may have installed yet (other than their porn web server).
Well, for starters, TAKE IT OFF THE NETWORK! Don't examine a hacked
machine with it on the network. You're still giving them a jump-off
point. Most likely the machine was rootkitted, and unless you've
"de-kitted" it, which is certainly not an exact science, you are most
likely still able to be connected to. If you must have the machine
networked, do it on a private, firewalled LAN.
: I restarted the syslog and they rebooted the machine this morning (it's
: 1500 miles away...) and the messages file is working but I'm still not
: getting any entries in /var/log/secure, it's just a zero-length file. The
: syslogd.conf file looks the same as mine so I guess it's ok. Any ideas
how
: to get secure working?
They replaced your syslogd with a trojaned one that doesn't log anything.
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
