RE: More hacked server questions

Fri, 22 Sep 2000 05:16:05 -0700 

Not to mention he's 1000 miles away from the box (which he did state in his
e-mail)

> -----Original Message-----
> From: Jamin Collins [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, September 21, 2000 5:51 PM
> To:   '[EMAIL PROTECTED]'
> Subject:      RE: More hacked server questions
> 
> IIRC, he's intentionally leaving the box connected as he is looking for
> more
> information on the people that did it.
> 
> Jamin W. Collins
> -----Original Message-----
> From: Jason Costomiris [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 21, 2000 6:15 AM
> To: [EMAIL PROTECTED]
> Subject: Re: More hacked server questions
> 
> On Wed, Sep 20, 2000 at 02:07:45PM -0500, Kerry Miller wrote:
> : I've been tinkering with that server a little, got the logging working
> (at
> : least partially) and have gotten a lot of interesting IP addresses in
> the
> : log.  I'm tightening it up to stop them from hacking other people's
> systems
> : with it, and I don't even begin to know where to look for any software
> they
> : may have installed yet (other than their porn web server).
> 
> Well, for starters, TAKE IT OFF THE NETWORK!  Don't examine a hacked
> machine with it on the network.  You're still giving them a jump-off
> point.  Most likely the machine was rootkitted, and unless you've
> "de-kitted" it, which is certainly not an exact science, you are most
> likely still able to be connected to.  If you must have the machine
> networked, do it on a private, firewalled LAN.
> 
> : I restarted the syslog and they rebooted the machine this morning (it's
> : 1500 miles away...) and the messages file is working but I'm still not
> : getting any entries in /var/log/secure, it's just a zero-length file.
> The
> : syslogd.conf file looks the same as mine so I guess it's ok.  Any ideas
> how
> : to get secure working?
> 
> They replaced your syslogd with a trojaned one that doesn't log anything.
> 
> --
> Jason Costomiris <><           |  Technologist, geek, human.
> jcostom {at} jasons {dot} org  |  http://www.jasons.org/
> 
> 
> 
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
> 
> 
> 
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to