-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Get an 'lsof' listing of processes and what programs are bound to those ports/processes. See if any trojans have been installed on the box. Do a locate on lsof or download the tar from freshmeat.net if you cant find it. I use OpenBSD so don't know where your distro might keep it. One other thing you might want to do is use the find command to find any 'dot' directories. % find . -type d -name ".*" -print I'd also see what versions of SSHD, etc were running to figure out how the attacker might have broken in. Check SSH for the CRC/32 vulnerability. I would also see if he left telnetd running or any RPC services. Also, might want to let your friend know not to keep tripwire databases on the same machine. They should be put on a protected floppy or cdrom. // Loki ================================================== Eric S. Hines Chief Technical Officer E*com Solutions, Inc. ehinesat_private - -------------------------------------------------- [w] http://www.ecomsolutionsinc.com [e] ehinesat_private [p] (412) 303-3115 - -------------------------------------------------- Corporate Headquarters 400 Travis Street Suite 408 Shreveport, LA 71101 ================================================== - -----Original Message----- From: Joe T. [mailto:auximiniat_private] Sent: Friday, May 03, 2002 6:27 PM To: incidentsat_private Subject: info Hello, I was recently asked to check out a linux computer as the person said it was 'acting funny'. I took a quick peek in webmin and saw a couple users with uid 0. I immediately know the box had been hacked. Upon further inspection through ssh, I found the following things: - - /var/log is gone - - the tripwire database is gone - - a couple hidden home dirs corresponding to the uid0's - - a file called spackit.c, the Super PakiT.. looks like a DoS program. The person told me that people have been receiving viruses coming from one of the hacked accounts. I would like some opinions, advice, or info on: - - is there any way to view records? webmin has a 'last logon' option, but now that /var/log has been blown away, its not working right.. - - what is spakit.c? anyone ever heard of it? - - any other recommendations? I'm pretty proficient in linux, but this is the first time ive ran into a hacked box. from my past reading, i know the steps are to try and recover any data not malformed and reinstall. any other pointers? thanks, __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPNMSDLV2be2rtkMHEQIxmQCfUu4N1ABZ31NIQ6UtRyGOeBlNYHwAoOpg 9/SOUoKdgdHG06omt292tRnG =uKfj -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 16:09:41 PDT