Got hacked?

[daz]

Jim wrote:
> Last night I came home from work and sat down at the computer.  I 
> noticed the lights on the DSL router were blinking very rapidly.  I have 
> an ftp server running on my linux box (Slackware 10.2).  So I thought 
> someone might have been uploading something.
> Is there anything else I should do?
> 
> thanks
> 

I'm going to go against the grain here with my suggestion.  My first 
question would be:

How important to you is it that that servers stays 'pure'?
My second question:

Do you have the time/curiosity to try to find out what happened?

Back in the day, one of my servers got hacked.  It was an ssh exploit 
(the funny thing was that I had patched ssh for an exploit.  I just 
didnt see that the patch had an exploit so didn't patch the patch. 
pleh).  Anyway, since it was my home server and I wanted to know wtf 
happened, I didnt reinstall.  I did forensics.  I got clean copies of 
some binaries:

ls, ps, lsof, file, cat, more, sh, find, netstat, etc.

then started checking out my system.  I was a tremendous learning 
experience.  And yes, I did it while the box was live and the jerk was 
still doing his/her thing.

One of the interesting things I found out was how many other servers the 
jerk found that were easily exploited :)

Of course, this depends *entirely* on how important and sensitive your 
server and its data are(is?).

David