Re: hacked

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Darrin Chandler
Date:  
To: Main PLUG discussion list
Subject: Re: hacked
On Wed, Apr 12, 2006 at 09:52:44AM -0700, Jason Etchason wrote:
> I'm pretty sure that my linux box at home has been hacked, and am not sure
> what to do next. I found a samba share called [radio] and directory /tmp at
> root that was just recently created with suspicious files.


What was in this samba share? I can't find much googling for this.

What did you see in /tmp that looked suspicious?

> The box in question has slackware 10.2 and is sitting behind a netgear
> router. The only hole between the internet and the box was port forwarding
> for SSH on a non standard port. I am pretty sure I disabled root the login
> via SSH. I suppose that this could have been bruteforced - My SSH login is
> 10 chars and only 3 of them are non-alpha. Because I'm just running the box
> at home, and still learning, I have been lax about setting up any rights
> management. So if someone did get in thru SSH, they pretty much had full
> access immediately.


The only hole as defined how? The netgear (yikes!)? Iptables?

> Once I get home from work today, I want to be able to bring my system back
> up, but not before I am certain I have closed off all vulnerabilities. Then
> I'd also like to setup some form of IDS, but I do not know if that is above
> my skill level. Of course, I gotta learn some time, so I might as well now?


If at all possible, boot from a floppy or CD in single-user mode or
rescue mode, etc. You'll probably have to mount your filesystems by
hand (or not?). This way, you'll be in control even if someone has a
rootkit installed. Then you can check out anything you want.

-- 
Darrin Chandler            |  Phoenix BSD Users Group
   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |
---------------------------------------------------
PLUG-discuss mailing list - 
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss