Got hacked?

Carlos Macedo Gomes powerofprimes at gmail.com
Thu Feb 22 22:15:16 MST 2007


Hi Jim,

I agree w/ the suggestion of others on the list.  Once your box is
wacked/p0wned the best thing and quickest way to get back online is by
reinstalling the OS.  I personally woulnd't bother with trying to
reconfigure or lock down a box that was known to be compromised since, as
others have mentioned, you'll be fighting an uphill battle that my never
end.

If you have data on the compromised host that needs to be kept you might
want to look at previous "known good" backups.  Last resort would be to make
a backup now, resintall the OS, and then carefully migrate or recreate the
needed data.

I've got access to commercial and freeware computer forensics tools (part of
my job) and might be able to help you create a timeline for suspicous
activity on the system if you're interested.  This depends mostly on the
size of your HD and the how big the window is between "known good" and
"known bad".   The bigger the HD and the bigger the window the more time it
will take to create an image of the HD and also to process the disk
meta-data looking for changes to files.

Let me know if I can help out.

thanks,
C.G.

On 2/22/07, Jim <arizona.anorak at gmail.com> wrote:
>
> Last night I came home from work and sat down at the computer.  I
> noticed the lights on the DSL router were blinking very rapidly.  I have
> an ftp server running on my linux box (Slackware 10.2).  So I thought
> someone might have been uploading something.
>
> Ftpwho showed no users logged in.  I checked the incoming directory and
> saw nothing there.
>
> Tcpdump showed me that they were sending something using ssh.
>
> I used find to look for anything they might have been uploading, but
> found nothing.
>
> /var/log/syslog contained the following over and over for about 4 hours
> before I got home
>
> Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0]
> printing/print_cups.c:cups_cache_reload(85)
> Feb 22 20:43:56 ladmo smbd[6375]:   Unable to connect to CUPS server
> localhost - Connection refused
>
> Then I found in /var/log/syslog this over and over
>
> Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow
> information for NOUSER
>
> I stopped sshd and edited /etc/sshd_config by adding the following:
> AllowUsers root jim
> AllowGroups root
>
> To test the change, I tried to log into the server via ssh and using
> another account.  It wouldn't let me log in using that other account via
> ssh.
>
> I also tried
> find / -mmin 1200 -size +100k
> and without the size option, but found nothing from the time this was
> going on.
>
> After all this I tried to send an email, but sendmail wasn't working.  I
> backed up my sendmail config files, uninstalled sendmail, reinstalled it
> and restored the config files.  Sendmail worked after that.
>
> Is there anything else I should do?
>
> thanks
>
> --
>
>
> "That income tax you know it's nothing more than legal robbery"
> Sidney "Pa" Larkin
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
powerofprimes at gmail.com
Carlos Macedo Gomes
_sic itur ad astra_
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20070222/ce9ade1c/attachment.htm 


More information about the PLUG-discuss mailing list