Hi Jim, I agree w/ the suggestion of others on the list. Once your box is wacked/p0wned the best thing and quickest way to get back online is by reinstalling the OS. I personally woulnd't bother with trying to reconfigure or lock down a box that was known to be compromised since, as others have mentioned, you'll be fighting an uphill battle that my never end. If you have data on the compromised host that needs to be kept you might want to look at previous "known good" backups. Last resort would be to make a backup now, resintall the OS, and then carefully migrate or recreate the needed data. I've got access to commercial and freeware computer forensics tools (part of my job) and might be able to help you create a timeline for suspicous activity on the system if you're interested. This depends mostly on the size of your HD and the how big the window is between "known good" and "known bad". The bigger the HD and the bigger the window the more time it will take to create an image of the HD and also to process the disk meta-data looking for changes to files. Let me know if I can help out. thanks, C.G. On 2/22/07, Jim wrote: > > Last night I came home from work and sat down at the computer. I > noticed the lights on the DSL router were blinking very rapidly. I have > an ftp server running on my linux box (Slackware 10.2). So I thought > someone might have been uploading something. > > Ftpwho showed no users logged in. I checked the incoming directory and > saw nothing there. > > Tcpdump showed me that they were sending something using ssh. > > I used find to look for anything they might have been uploading, but > found nothing. > > /var/log/syslog contained the following over and over for about 4 hours > before I got home > > Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0] > printing/print_cups.c:cups_cache_reload(85) > Feb 22 20:43:56 ladmo smbd[6375]: Unable to connect to CUPS server > localhost - Connection refused > > Then I found in /var/log/syslog this over and over > > Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow > information for NOUSER > > I stopped sshd and edited /etc/sshd_config by adding the following: > AllowUsers root jim > AllowGroups root > > To test the change, I tried to log into the server via ssh and using > another account. It wouldn't let me log in using that other account via > ssh. > > I also tried > find / -mmin 1200 -size +100k > and without the size option, but found nothing from the time this was > going on. > > After all this I tried to send an email, but sendmail wasn't working. I > backed up my sendmail config files, uninstalled sendmail, reinstalled it > and restored the config files. Sendmail worked after that. > > Is there anything else I should do? > > thanks > > -- > > > "That income tax you know it's nothing more than legal robbery" > Sidney "Pa" Larkin > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- powerofprimes@gmail.com Carlos Macedo Gomes _sic itur ad astra_