> I would like some opinions, advice, or info on: > - is there any way to view records? webmin has a > 'last logon' option, but now that > /var/log has been blown away, its not working > right.. The nature of the attack, i.e. box is r00ted indicates that you cannot trust any of the information you find with any certainity. With that said, you can check your /etc/syslog.conf file to see if there are any log files in a directory other than /var/log. You can also check services like Apache (httpd.conf) to see if they logged to a directory other than /var/log. > - any other recommendations? I'm pretty proficient > in linux, but this is the first time > ive ran into a hacked box. from my past reading, i > know the steps are to try and recover > any data not malformed and reinstall. any other > pointers? If your attacker was sloppy, you may find useful information in the users history file, .bash_history, especially those users with uid 0. If the hacked machine was behind a packet filter, or there is a sniffer on the line anywhere between the hacked box and the net, that you have access to, you can check those logs as well. Best of luck, Guhan __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 06 2002 - 10:43:38 PDT