hacked

[Darrin Chandler]

On Wed, Apr 12, 2006 at 09:52:44AM -0700, Jason Etchason wrote:
> I'm pretty sure that my linux box at home has been hacked, and am not sure
> what to do next.  I found a samba share called [radio] and directory /tmp at
> root that was just recently created with suspicious files.

What was in this samba share? I can't find much googling for this.

What did you see in /tmp that looked suspicious?

> The box in question has slackware 10.2 and is sitting behind a netgear
> router.  The only hole between the internet and the box was port forwarding
> for SSH on a non standard port.  I am pretty sure I disabled root the login
> via SSH. I suppose that this could have been bruteforced - My SSH login is
> 10 chars and only 3 of them are non-alpha.  Because I'm just running the box
> at home, and still learning, I have been lax about setting up any rights
> management.  So if someone did get in thru SSH, they pretty much had full
> access immediately.

The only hole as defined how? The netgear (yikes!)? Iptables?

> Once I get home from work today, I want to be able to bring my system back
> up, but not before I am certain I have closed off all vulnerabilities.  Then
> I'd also like to setup some form of IDS, but I do not know if that is above
> my skill level.  Of course, I gotta learn some time, so I might as well now?

If at all possible, boot from a floppy or CD in single-user mode or
rescue mode, etc. You'll probably have to mount your filesystems by
hand (or not?). This way, you'll be in control even if someone has a
rootkit installed. Then you can check out anything you want.

-- 
Darrin Chandler            |  Phoenix BSD Users Group
dwchandler at stilyagin.com   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |