Got hacked?

[Shawn Badger]

I would agree, that it is great learning experience. Hopefully it
gives a little insight into why they do what they do. After you have
learned a little and maybe even messed with them a little then you
should reload the box. Just my opinion though.



On 2/23/07, daz <david at damnetwork.net> wrote:
> Jim wrote:
> > Last night I came home from work and sat down at the computer.  I
> > noticed the lights on the DSL router were blinking very rapidly.  I have
> > an ftp server running on my linux box (Slackware 10.2).  So I thought
> > someone might have been uploading something.
> > Is there anything else I should do?
> >
> > thanks
> >
>
> I'm going to go against the grain here with my suggestion.  My first
> question would be:
>
> How important to you is it that that servers stays 'pure'?
> My second question:
>
> Do you have the time/curiosity to try to find out what happened?
>
> Back in the day, one of my servers got hacked.  It was an ssh exploit
> (the funny thing was that I had patched ssh for an exploit.  I just
> didnt see that the patch had an exploit so didn't patch the patch.
> pleh).  Anyway, since it was my home server and I wanted to know wtf
> happened, I didnt reinstall.  I did forensics.  I got clean copies of
> some binaries:
>
> ls, ps, lsof, file, cat, more, sh, find, netstat, etc.
>
> then started checking out my system.  I was a tremendous learning
> experience.  And yes, I did it while the box was live and the jerk was
> still doing his/her thing.
>
> One of the interesting things I found out was how many other servers the
> jerk found that were easily exploited :)
>
> Of course, this depends *entirely* on how important and sensitive your
> server and its data are(is?).
>
> David
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>