[PLUG] Got hacked last night - HELP!

Bill Thoen bthoen at gisnet.com
Tue Oct 5 09:26:04 UTC 2004


On Mon, 4 Oct 2004, Michael Rasmussen wrote:

> run rpm -Va and figure out anything that fails the comparison

S.5....T   /bin/netstat
S.5....T   /sbin/ifconfig
S.5....T   /usr/bin/find
S.5....T   /usr/bin/killall
S.5....T   /usr/bin/pstree
S.5....T   /bin/ls
S.5....T   /usr/bin/dir
S.5....T   /usr/bin/du
S.5....T   /usr/bin/vdir
S.5....T   /sbin/syslogd
S.5....T   /usr/sbin/tcpd
S.5....T   /bin/ps
S.5....T   /usr/bin/top

Guess what? ALL of these were modifed on Oct 2 at 09:48, exactly when the
hacker got in, according to the /var/log/messages and /var/log/secure
logs. Why he hasn't done anything more nasty with his new toy yet I have
no idea. Or maybe he has...  I wish I knew how it was done. What good is 
it to restore a system that's so easily compromised?

Anyway, I'm going to move my mail services to my ISP's place and then I've
got to drop off line and waste the day repairing this mess. Thanks for all
your help! I hope to be back again some day...


- Bill Thoen






More information about the PLUG mailing list