hacked

[Jason Etchason]

I'm pretty sure that my linux box at home has been hacked, and am not sure
what to do next.  I found a samba share called [radio] and directory /tmp at
root that was just recently created with suspicious files.

The box in question has slackware 10.2 and is sitting behind a netgear
router.  The only hole between the internet and the box was port forwarding
for SSH on a non standard port.  I am pretty sure I disabled root the login
via SSH. I suppose that this could have been bruteforced - My SSH login is
10 chars and only 3 of them are non-alpha.  Because I'm just running the box
at home, and still learning, I have been lax about setting up any rights
management.  So if someone did get in thru SSH, they pretty much had full
access immediately.

Once I get home from work today, I want to be able to bring my system back
up, but not before I am certain I have closed off all vulnerabilities.  Then
I'd also like to setup some form of IDS, but I do not know if that is above
my skill level.  Of course, I gotta learn some time, so I might as well now?

Any advice is appreciated.  And I'll see you at the east side user group
tomorrow.

Thx
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.plug.phoenix.az.us/pipermail/plug-discuss/attachments/20060412/46f38f63/attachment.htm