Hi Jim,<br><br>I agree w/ the suggestion of others on the list.&nbsp; Once your box is wacked/p0wned the best thing and quickest way to get back online is by reinstalling the OS.&nbsp; I personally woulnd&#39;t bother with trying to reconfigure or lock down a box that was known to be compromised since, as others have mentioned, you&#39;ll be fighting an uphill battle that my never end.
<br><br>If you have data on the compromised host that needs to be kept you might want to look at previous &quot;known good&quot; backups.&nbsp; Last resort would be to make a backup now, resintall the OS, and then carefully migrate or recreate the needed data.
<br><br>I&#39;ve got access to commercial and freeware computer forensics tools (part of my job) and might be able to help you create a timeline for suspicous activity on the system if you&#39;re interested.&nbsp; This depends mostly on the size of your HD and the how big the window is between &quot;known good&quot; and &quot;known bad&quot;.&nbsp;&nbsp; The bigger the HD and the bigger the window the more time it will take to create an image of the HD and also to process the disk meta-data looking for changes to files.
<br><br>Let me know if I can help out.<br><br>thanks,<br>C.G.<br><br><div><span class="gmail_quote">On 2/22/07, <b class="gmail_sendername">Jim</b> &lt;<a href="mailto:arizona.anorak@gmail.com">arizona.anorak@gmail.com</a>
&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Last night I came home from work and sat down at the computer.&nbsp;&nbsp;I<br>noticed the lights on the DSL router were blinking very rapidly.&nbsp;&nbsp;I have
<br>an ftp server running on my linux box (Slackware 10.2).&nbsp;&nbsp;So I thought<br>someone might have been uploading something.<br><br>Ftpwho showed no users logged in.&nbsp;&nbsp;I checked the incoming directory and<br>saw nothing there.
<br><br>Tcpdump showed me that they were sending something using ssh.<br><br>I used find to look for anything they might have been uploading, but<br>found nothing.<br><br>/var/log/syslog contained the following over and over for about 4 hours
<br>before I got home<br><br>Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0]<br>printing/print_cups.c:cups_cache_reload(85)<br>Feb 22 20:43:56 ladmo smbd[6375]:&nbsp;&nbsp; Unable to connect to CUPS server<br>localhost - Connection refused
<br><br>Then I found in /var/log/syslog this over and over<br><br>Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow<br>information for NOUSER<br><br>I stopped sshd and edited /etc/sshd_config by adding the following:
<br>AllowUsers root jim<br>AllowGroups root<br><br>To test the change, I tried to log into the server via ssh and using<br>another account.&nbsp;&nbsp;It wouldn&#39;t let me log in using that other account via<br>ssh.<br><br>I also tried
<br>find / -mmin 1200 -size +100k<br>and without the size option, but found nothing from the time this was<br>going on.<br><br>After all this I tried to send an email, but sendmail wasn&#39;t working.&nbsp;&nbsp;I<br>backed up my sendmail config files, uninstalled sendmail, reinstalled it
<br>and restored the config files.&nbsp;&nbsp;Sendmail worked after that.<br><br>Is there anything else I should do?<br><br>thanks<br><br>--<br><br><br>&quot;That income tax you know it&#39;s nothing more than legal robbery&quot;<br>
Sidney &quot;Pa&quot; Larkin<br>---------------------------------------------------<br>PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.plug.phoenix.az.us">PLUG-discuss@lists.plug.phoenix.az.us</a><br>To subscribe, unsubscribe, or to change&nbsp;&nbsp;you mail settings:
<br><a href="http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss">http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss</a><br></blockquote></div><br><br clear="all"><br>-- <br><a href="mailto:powerofprimes@gmail.com">
powerofprimes@gmail.com</a><br>Carlos Macedo Gomes<br>_sic itur ad astra_<br>