hacked

Jason Spatafore jason at spatafore.net
Fri Apr 14 17:45:44 MST 2006 

Hmm...some basics for finding stuff out...

1. Change the root password first and foremost.

2. Check /etc/passwd and see if there are any accounts which are suspicious. 
Also check to see if there is an account with the UID of "0", other than 
root.

3. Check /etc/hosts.deny and /etc/hosts.allow for any openings. Your best bet 
would be to read up on some SSH information for which files are used to 
figure out who is allowed.

4. Check your logfiles in /var/log/.... to see if you see a TON Of failed 
login attempts. Of course, if they were able to root your box, they could 
have deleted this trail.

5. Make sure you only have necessary services started. (Minimum necessary 
rule)

These should help you out. I cannot give you detailed instructions on each one 
but these are the basics. However, the only 'real' way to be sure your box is 
not longer compromised is to wipe it and reload it. Once compromised, a box 
is very 'iffy' at best. You can, of course, keep your data if you wipe and 
reload. Just backup all files you want beforehand. (But delete applications 
from the old system as they could have been compromised.)



On Wednesday 12 April 2006 09:52, Jason Etchason wrote:
> I'm pretty sure that my linux box at home has been hacked, and am not sure
> what to do next.  I found a samba share called [radio] and directory /tmp
> at root that was just recently created with suspicious files.
>
> The box in question has slackware 10.2 and is sitting behind a netgear
> router.  The only hole between the internet and the box was port forwarding
> for SSH on a non standard port.  I am pretty sure I disabled root the login
> via SSH. I suppose that this could have been bruteforced - My SSH login is
> 10 chars and only 3 of them are non-alpha.  Because I'm just running the
> box at home, and still learning, I have been lax about setting up any
> rights management.  So if someone did get in thru SSH, they pretty much had
> full access immediately.
>
> Once I get home from work today, I want to be able to bring my system back
> up, but not before I am certain I have closed off all vulnerabilities. 
> Then I'd also like to setup some form of IDS, but I do not know if that is
> above my skill level.  Of course, I gotta learn some time, so I might as
> well now?
>
> Any advice is appreciated.  And I'll see you at the east side user group
> tomorrow.
>
> Thx
> Jason

-- 
Sincerely,

Jason Spatafore
Linux+ Certified Professional
http://www.spatafore.net

More information about the PLUG-discuss mailing list