[PLUG] Got hacked last night - HELP!
Darkhorse
plug_0 at robinson-west.com
Tue Oct 5 10:21:02 UTC 2004
On Tue, 2004-10-05 at 09:30, Bill Thoen wrote:
> On Mon, 4 Oct 2004, Michael Rasmussen wrote:
>
> > run rpm -Va and figure out anything that fails the comparison
>
> S.5....T /bin/netstat
> S.5....T /sbin/ifconfig
> S.5....T /usr/bin/find
> S.5....T /usr/bin/killall
> S.5....T /usr/bin/pstree
> S.5....T /bin/ls
> S.5....T /usr/bin/dir
> S.5....T /usr/bin/du
> S.5....T /usr/bin/vdir
> S.5....T /sbin/syslogd
> S.5....T /usr/sbin/tcpd
> S.5....T /bin/ps
> S.5....T /usr/bin/top
>
> Guess what? ALL of these were modifed on Oct 2 at 09:48, exactly when the
> hacker got in, according to the /var/log/messages and /var/log/secure
> logs. Why he hasn't done anything more nasty with his new toy yet I have
> no idea. Or maybe he has... I wish I knew how it was done. What good is
> it to restore a system that's so easily compromised?
>
> Anyway, I'm going to move my mail services to my ISP's place and then I've
> got to drop off line and waste the day repairing this mess. Thanks for all
> your help! I hope to be back again some day...
>
>
> - Bill Thoen
>
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
Note: I've never known Redhat to pass rpm verification even
when it's freshly installed. That includes two boxed
copies. I seriously question the validity of rpm -Va,
though on a hunch I have replaced packages in the past
and it has helped considerably.
-- Michael C. Robinson
More information about the PLUG
mailing list