I think the expression I heard to describe this was: If you drop your fork in a pile of dog poo at a picnic it will not matter how well you clean it, deep down you would still prefer just to get a new fork. -----Original Message----- From: plug-discuss-bounces@lists.plug.phoenix.az.us [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of John Schember Sent: Thursday, February 22, 2007 9:21 PM To: Main PLUG discussion list Subject: Re: Got hacked? Wipe the machine and reinstall. Once your compromised there is no way to tell 100% what what done. They could have installed a custom rootkit that will give them a telnet session when they port knock on the server. You can try to clean it but the only way to be sure the system is clean is to do a clean install. John Schember On Thu, 2007-02-22 at 21:15 -0700, Jim wrote: > Last night I came home from work and sat down at the computer. I > noticed the lights on the DSL router were blinking very rapidly. I have > an ftp server running on my linux box (Slackware 10.2). So I thought > someone might have been uploading something. > > Ftpwho showed no users logged in. I checked the incoming directory and > saw nothing there. > > Tcpdump showed me that they were sending something using ssh. > > I used find to look for anything they might have been uploading, but > found nothing. > > /var/log/syslog contained the following over and over for about 4 hours > before I got home > > Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0] > printing/print_cups.c:cups_cache_reload(85) > Feb 22 20:43:56 ladmo smbd[6375]: Unable to connect to CUPS server > localhost - Connection refused > > Then I found in /var/log/syslog this over and over > > Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow > information for NOUSER > > I stopped sshd and edited /etc/sshd_config by adding the following: > AllowUsers root jim > AllowGroups root > > To test the change, I tried to log into the server via ssh and using > another account. It wouldn't let me log in using that other account via > ssh. > > I also tried > find / -mmin 1200 -size +100k > and without the size option, but found nothing from the time this was > going on. > > After all this I tried to send an email, but sendmail wasn't working. I > backed up my sendmail config files, uninstalled sendmail, reinstalled it > and restored the config files. Sendmail worked after that. > > Is there anything else I should do? > > thanks > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss