[PLUG] Hacked? More info

Mark Martin mmartin at u.washington.edu
Tue Dec 17 02:08:07 UTC 2002 

You've been cracked, without a doubt.  If you haven't already, I strongly 
suggest unplugging the box from the phone line in case the cracker set up 
jobs to dial out and perform some nefarious tasks.  If you know someone on 
the list who is good at forensics, maybe they'd be willing and interested in 
taking a look at it for you before you wipe it.  Otherwise, I suggest 
carefully retrieving whatever important personal files that you can using a 
rescue disk (which won't have trojaned commands), wiping the drive (also 
using a rescue disk), and reinstalling the system.  Check any personal files 
that you want to save very thoroughly to make sure that you aren't going to 
compromise the system with them.  You also might want to change your 
passwords on other boxes where you have might have the same or similar 
passwords.  Furthermore, I suggest setting up firewalling on the system 
before reattaching to the network, eliminating any unnecessary services, and, 
of course, choosing completely different passwords.

If you're interested, you might use a floppy to transfer chkrootkit to the 
system to see what you can learn.  I sent the URL in another message in this 
thread.

I know that some of these are appallingly obvious and I've probably missed 
something vital (that someone else will undoubtedly let me know about soon).  
Sorry that it ended up this way and best of luck in cleaning up the mess.

Mark

P.S. It might not be all bad.  At least it gives you an opportunity to 
upgrade. ;-)

On Monday 16 December 2002 19:54, Phil Tomson wrote:
> Yup, I did: chattr -i /tmp
> And that did the trick.  And yes, /var/tmp was also set with the i
> attribute and that does seem rather malicious.
>
> But then.... after kdm started I notice that there is a new user listed on
> the login screen.  The name of the new user is WiNAta - very bizarre!
>
> Phil
-- 
---------------------------------------------------------------------
Mark A. Martin, Ph.D.
Applied Mathematics -- Software Development -- Systems Administration
Currently available for employment.
See http://www.amath.washington.edu/~mmartin/resume/ for details.
---------------------------------------------------------------------

More information about the PLUG mailing list