[oclug] Question regarding being hacked
Raymond Wood
raywood at magma.ca
Tue May 18 12:45:09 EDT 2004
On May 18, Dave Edwards wrote:
> Mike Kenzie [2004-05-18 11:29-0400]:
> > On Tuesday 18 May 2004 02:35, Dave Lewis wrote:
> > > Hey guys (and Gal's I'm sure)
> > >
> > > I seem to have a small issue.. it appears that I was hacked and I'm
> > > interested in knowing if anyone else has seen this before.
> > >
> > > some how (part of why I'm asking since I'm not sure how they got in)
> >
> > google chkrootkit, install and run it
>
> Also consider installing and running rkhunter --
> http://www.rootkit.nl . I run both it and chkrootkit nightly.
>
> Dave.
chkrootkit and rkhunter are both good checks, and may help to reveal
what method was used to compromise your system.
Obviously you have been 'cracked' (not 'hacked') so you need to
recover. Here are some URLs that may be useful. The first two are
specific to debian, but may be instructive anyway. The last two are
generic guides to recovering from a compromise.
http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
http://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.en.html
http://www.cert.org/tech_tips/root_compromise.html
http://www.sans.org/y2k/DDoS.htm
When you re-install (yes, you must), make sure next time that your
system is completely patched for all your distributions security
updates. The easiest way to do this is to subscribe to a
'security-announce' mailing list connected to your particular linux
distribution, and then patch immediately whenever you receive a
security alert.
Good luck!
Have Fun with GNU/Linux,
Raymond
More information about the OCLUG
mailing list