was i hacked
Ryan Ekins
pluglist at plug.org
Sat May 3 15:12:00 MDT 2003
I had the same thing happen, only they had left the bash history file, so I
could see what they did. They had run a root kit program. I did some
research and the only thing that I could really do was take my server off
line, save home and local directories and re-install.
Someone said to look in your log file for sendmail, because they sometimes
have the system email info to themselves. But he might have deleted that
also. If you were using the FTP daemon I guess it should not be run.
Supposedely it has a lot of back doors in the 7.x versions. But, that's just
what I heard.
I think it pays to keep your system up to date. Check out red carpet at
http://www.ximian.com/products/redcarpet/ .
Good luck with your system.
-Ryan
----- Original Message -----
From: "Uday" <uday at accord.co.in>
To: <pluglist at plug.org>
Sent: Friday, May 02, 2003 11:15 PM
Subject: was i hacked
> I had a system crash recently which had put me in all sorts of problems on
> my RH7.1 box running sendmail and httpd. Now it is restored but not to
> original and need some help.
>
> What happened exactly was like this : On the 1st of May when I connected
to
> the box thru SSH form my home it gave me the bash prompt instead of my
usual
> hostname prompt. Second there were no files in /var/log. Next I reboot
the
> comp and even my sshd on the server did not start and I had to rush to
> location physically.
>
> On the comp also I could not get the usual prompt. Eventually I found out
> that the .bash_profile, .bashrc, .bash_logout for root were missing. and
> none of the /var/log was there ALL DELETED!!
>
> The points I do not know are:
> 1. WAS I HACKED? IF YES HOW DO I KNOW WHICH WAY THE HACKER GOT IN?
> 2. After restoring the sendmail does not write logs to /var/log/maillog
> (though it is functioning) and similarly many log files boot.log, cron,
> messages, secure, spooler, are 0 bytes - The system is not writing logs to
> this file HOW? WHY?
> 3. Before restoring the /etc/rc files had all broken links because at that
> time echo $PATH use to give me nothing. No path was defined. Now I ve
put
> a fresh rc.sysinit but all the other rc files are still marked red (they
are
> not blinking) so IS THE LINK RESTORED OR NOT? And how do I remove the red
> marked link files and restore all the linked files to normal??
>
> Thanx
>
>
> .===================================.
> | This has been a P.L.U.G. mailing. |
> | Don't Fear the Penguin. |
> `==================================='
More information about the PLUG
mailing list