was i hacked

Joshua Ariizumi pluglist at plug.org
Sat May 3 11:35:03 MDT 2003 

http://www.chkrootkit.org/

You can use chrootkit to check for any of the "root kits" that most 
hackers use.  Many kits allow hackers to modify binaries so they 1) 
don't show up on log files, 2) don't show up on ls, w, ps, who, ssh, 
telnet, sendmail, ftpd, etc., and/or 3) create backdoors.  I would 
suggest taking the machine OFFLINE IMMEDIATELY.  If they have backdoor 
access and are connected and seeing you doing work to try and restore, 
they might just rm -Rf / on your machine.  Best of luck in restoring 
your system.

Josh


On Friday, May 2, 2003, at 10:15  PM, Uday wrote:

> I had a system crash recently which had put me in all sorts of 
> problems on
> my RH7.1 box running sendmail and httpd.  Now it is restored but not to
> original and need some help.
>
> What happened exactly was like this : On the 1st of May when I 
> connected to
> the box thru SSH form my home it gave me the bash prompt instead of my 
> usual
> hostname prompt.  Second there were no files in /var/log.  Next I 
> reboot the
> comp and even my sshd on the server did not start and I had to rush to
> location physically.
>
> On the comp also I could not get the usual prompt.  Eventually I found 
> out
> that the .bash_profile, .bashrc, .bash_logout  for root were missing. 
> and
> none of the /var/log was there ALL DELETED!!
>
> The points I do not know are:
> 1. WAS I HACKED? IF YES HOW DO I KNOW WHICH WAY THE HACKER GOT IN?
> 2. After restoring the sendmail does not write logs to /var/log/maillog
> (though it is functioning) and similarly many log files boot.log, cron,
> messages, secure, spooler, are 0 bytes - The system is not writing 
> logs to
> this file HOW? WHY?
> 3. Before restoring the /etc/rc files had all broken links because at 
> that
> time echo $PATH use to give me nothing.  No path was defined.  Now I 
> ve put
> a fresh rc.sysinit but all the other rc files are still marked red 
> (they are
> not blinking) so IS THE LINK RESTORED OR NOT?  And how do I remove the 
> red
> marked link files and restore all the linked files to normal??
>
> Thanx
>
>
> .===================================.
> | This has been a P.L.U.G. mailing. |
> |      Don't Fear the Penguin.      |
> `==================================='

More information about the PLUG mailing list