Got hacked?

Bryan O'Neal BONeal at cornerstonehome.com
Fri Feb 23 18:53:26 MST 2007 

I think the expression I heard to describe this was:
If you drop your fork in a pile of dog poo at a picnic it will not
matter how well you clean it, deep down you would still prefer just to
get a new fork.

-----Original Message-----
From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of John
Schember
Sent: Thursday, February 22, 2007 9:21 PM
To: Main PLUG discussion list
Subject: Re: Got hacked?

Wipe the machine and reinstall. Once your compromised there is no way to
tell 100% what what done. They could have installed a custom rootkit
that will give them a telnet session when they port knock on the server.
You can try to clean it but the only way to be sure the system is clean
is to do a clean install.

John Schember


On Thu, 2007-02-22 at 21:15 -0700, Jim wrote:
> Last night I came home from work and sat down at the computer.  I 
> noticed the lights on the DSL router were blinking very rapidly.  I
have 
> an ftp server running on my linux box (Slackware 10.2).  So I thought 
> someone might have been uploading something.
> 
> Ftpwho showed no users logged in.  I checked the incoming directory
and 
> saw nothing there.
> 
> Tcpdump showed me that they were sending something using ssh.
> 
> I used find to look for anything they might have been uploading, but 
> found nothing.
> 
> /var/log/syslog contained the following over and over for about 4
hours 
> before I got home
> 
> Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0] 
> printing/print_cups.c:cups_cache_reload(85)
> Feb 22 20:43:56 ladmo smbd[6375]:   Unable to connect to CUPS server 
> localhost - Connection refused
> 
> Then I found in /var/log/syslog this over and over
> 
> Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow 
> information for NOUSER
> 
> I stopped sshd and edited /etc/sshd_config by adding the following:
> AllowUsers root jim
> AllowGroups root
> 
> To test the change, I tried to log into the server via ssh and using 
> another account.  It wouldn't let me log in using that other account
via 
> ssh.
> 
> I also tried
> find / -mmin 1200 -size +100k
> and without the size option, but found nothing from the time this was 
> going on.
> 
> After all this I tried to send an email, but sendmail wasn't working.
I 
> backed up my sendmail config files, uninstalled sendmail, reinstalled
it 
> and restored the config files.  Sendmail worked after that.
> 
> Is there anything else I should do?
> 
> thanks
> 

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list