[PLUG] Got hacked last night - HELP!
Bill Thoen
bthoen at gisnet.com
Tue Oct 5 09:26:04 UTC 2004
On Mon, 4 Oct 2004, Michael Rasmussen wrote:
> run rpm -Va and figure out anything that fails the comparison
S.5....T /bin/netstat
S.5....T /sbin/ifconfig
S.5....T /usr/bin/find
S.5....T /usr/bin/killall
S.5....T /usr/bin/pstree
S.5....T /bin/ls
S.5....T /usr/bin/dir
S.5....T /usr/bin/du
S.5....T /usr/bin/vdir
S.5....T /sbin/syslogd
S.5....T /usr/sbin/tcpd
S.5....T /bin/ps
S.5....T /usr/bin/top
Guess what? ALL of these were modifed on Oct 2 at 09:48, exactly when the
hacker got in, according to the /var/log/messages and /var/log/secure
logs. Why he hasn't done anything more nasty with his new toy yet I have
no idea. Or maybe he has... I wish I knew how it was done. What good is
it to restore a system that's so easily compromised?
Anyway, I'm going to move my mail services to my ISP's place and then I've
got to drop off line and waste the day repairing this mess. Thanks for all
your help! I hope to be back again some day...
- Bill Thoen
More information about the PLUG
mailing list