Hello, I was recently asked to check out a linux computer as the person said it was 'acting funny'. I took a quick peek in webmin and saw a couple users with uid 0. I immediately know the box had been hacked. Upon further inspection through ssh, I found the following things: - /var/log is gone - the tripwire database is gone - a couple hidden home dirs corresponding to the uid0's - a file called spackit.c, the Super PakiT.. looks like a DoS program. The person told me that people have been receiving viruses coming from one of the hacked accounts. I would like some opinions, advice, or info on: - is there any way to view records? webmin has a 'last logon' option, but now that /var/log has been blown away, its not working right.. - what is spakit.c? anyone ever heard of it? - any other recommendations? I'm pretty proficient in linux, but this is the first time ive ran into a hacked box. from my past reading, i know the steps are to try and recover any data not malformed and reinstall. any other pointers? thanks, __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 15:28:56 PDT