Hmm...some basics for finding stuff out... 1. Change the root password first and foremost. 2. Check /etc/passwd and see if there are any accounts which are suspicious. Also check to see if there is an account with the UID of "0", other than root. 3. Check /etc/hosts.deny and /etc/hosts.allow for any openings. Your best bet would be to read up on some SSH information for which files are used to figure out who is allowed. 4. Check your logfiles in /var/log/.... to see if you see a TON Of failed login attempts. Of course, if they were able to root your box, they could have deleted this trail. 5. Make sure you only have necessary services started. (Minimum necessary rule) These should help you out. I cannot give you detailed instructions on each one but these are the basics. However, the only 'real' way to be sure your box is not longer compromised is to wipe it and reload it. Once compromised, a box is very 'iffy' at best. You can, of course, keep your data if you wipe and reload. Just backup all files you want beforehand. (But delete applications from the old system as they could have been compromised.) On Wednesday 12 April 2006 09:52, Jason Etchason wrote: > I'm pretty sure that my linux box at home has been hacked, and am not sure > what to do next. I found a samba share called [radio] and directory /tmp > at root that was just recently created with suspicious files. > > The box in question has slackware 10.2 and is sitting behind a netgear > router. The only hole between the internet and the box was port forwarding > for SSH on a non standard port. I am pretty sure I disabled root the login > via SSH. I suppose that this could have been bruteforced - My SSH login is > 10 chars and only 3 of them are non-alpha. Because I'm just running the > box at home, and still learning, I have been lax about setting up any > rights management. So if someone did get in thru SSH, they pretty much had > full access immediately. > > Once I get home from work today, I want to be able to bring my system back > up, but not before I am certain I have closed off all vulnerabilities. > Then I'd also like to setup some form of IDS, but I do not know if that is > above my skill level. Of course, I gotta learn some time, so I might as > well now? > > Any advice is appreciated. And I'll see you at the east side user group > tomorrow. > > Thx > Jason -- Sincerely, Jason Spatafore Linux+ Certified Professional http://www.spatafore.net --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss