Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

this don't look good



On Wed, Jan 25, 2006 at 07:45:56AM -0500, Stephen Adler wrote:
> guess what..... I've just issued a last -a on my PC and look what came
> up... a bunch of people have broken into my root account. Any
> suggestions as to how I should proceed?

Format the drive. Reinstall. Restore from backups.

(That would be ideal, anyway.)

I'm presuming this is a system you can't just take off the net / turn
off ssh. If it is such a system, do that now. Next, start killing all
those processes: they look like they're probably attempting to crack
other machines. 

Assuming it needs to stay on the net, and ssh needs to stay open, block
root logins. sshd_config: PermitRootLogin no . This won't stop them for
long, most likely, but it might get you a little farther.

How soon can you get the data here off to another machine, and format
this one? That should be the first priority: If it needs to be slightly
longer than is absolutely neccesary, do the above steps first.

In my limited experience with this, the (cr|h)acker replaced most of
/bin/ with versions that were compromised and behaved oddly (although I
didn't take the time to investigate what was different about them).

In case you didn't get the message yet, you need to reformat and
reinstall if you want any hope of using the box with any confidence of
security or protection again.

-- 
Christopher Schmidt
Web Developer




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org