Hi - I have a couple of quickie bits of advise for you...
1) remove the machine from the network (pull the net / modem cable) so you
can check exactly what has happened without him / them logging back in and
screwing stuff up more / covering their tracks. don't bring the machine
back up till you've done step 2 thoroughtly...
2) go to http://www.auscert.org.au/ and check out teh "root compromise" or
something similar (don't have acess to a web browser right now - but the
info is there) documents... there's cimilar stuff at cert.org - but I know
of the auscert stuff first hand...
3) to check last logins and stuff type "last" and - well - it may have the
details there - or the intruder may have deleted the logs that contain the
login history... or may be they didn't get that far if they locked the
server trying stuff out...
4) find out what happened, document it, back up the whole system to a DAT
if you have a chance, remove the tape and lock it, then wipe the HD and
set up the server from scratch using the redhat install cds - then
selectively restore stuff from the DAT that you know you need... it's best
not tring to clean up after an intrusion as you can't really be sure what
eth intruder has done - if they're really good at what they do and you're
not super savvy then it's quite probable that it'll look like there's
nothing wrong whatsoever with the machine... but they'll still be on the
machine, hacking away! :(
5) if you get a chance to find out who they are then do whatever you can
to make sure they do it again - ranging from reporting them to the
authorities and taking any action available to you to make their life as
unpleasant as possible!
hmm... this all brings back painful memories of server compromise by
inexperienced script kiddies over a year ago resulting in large loss
of data and time in recovering when I didn't really know much better
(and didn't have a backup of the only stuff that happened to get
wiped!) good luck & I hope there's nothing too critical on there / nothing
lost....
cheers, dan.
ps. as to how did they get in - lack of errata updates / insecure services
being run / non-encrypted telnet (always use ssh!) would be three guesses...
On Thu, 9 Nov 2000, Fred Edmister wrote:
> This morning I awoke to my Linux server not responding, and when I went to
> the system itself, there were a bunch of PAM *** info lines on the screen
> for a username I had never seen... I couldn't log in, and had to just power
> down and do a manual fsck when it came back up... (bear with me, there is a
> question here) Once the system came back up (after changing all the
> passwords of course... ) there was a new user "shlomi" added to the
> system, and in the home directory was a program directory, and the tar
> file... (bnc2.6.2 bnc2.6.2.tar.gz) My questions are 1). What is
> this BNC, and should I worry about what this guy may have done to my system
> (everything seems to work fine, but I don't know if he did something
> "behind the scenes") 2). How did this guy get in, and what can I do to
> avoid these things from happening in the future (I noticed on the screen
> when I got to the system one of the PAM's was him being su'd.. NOT
> good) And Lastly, where is the log that holds the telnet info so I can
> check and see EXACTLY what this guy did... Thank you all in advance for
> you help! It is greatly appreciated!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
