From: Joe T. (auximiniat_private)
Date: Fri May 03 2002 - 15:26:49 PDT

  • Next message: Loki: "RE: info"

    I was recently asked to check out a linux computer as the person said it was 'acting
    funny'. I took a quick peek in webmin and saw a couple users with uid 0. I immediately
    know the box had been hacked.
    Upon further inspection through ssh, I found the following things:
    - /var/log is gone
    - the tripwire database is gone
    - a couple hidden home dirs corresponding to the uid0's
    - a file called spackit.c, the Super PakiT.. looks like a DoS program.
    The person told me that people have been receiving viruses coming from one of the hacked
    I would like some opinions, advice, or info on:
    - is there any way to view records? webmin has a 'last logon' option, but now that
    /var/log has been blown away, its not working right..
    - what is spakit.c? anyone ever heard of it?
    - any other recommendations? I'm pretty proficient in linux, but this is the first time
    ive ran into a hacked box. from my past reading, i know the steps are to try and recover
    any data not malformed and reinstall. any other pointers?
    Do You Yahoo!?
    Yahoo! Health - your guide to health and wellness
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri May 03 2002 - 15:28:56 PDT