[lug] intrusion
steve at badcheese.com
steve at badcheese.com
Wed Jun 13 13:54:54 MDT 2007
If you suspect an intrusion at all:
* Unplug network cable
* boot with known good media (knoppix cd or other)
* run ckrootkit
If no rootkits are found, do a security audit (don't trust anything).
Re-evaluate the iptables rules.
Upgrade the OS/kernel.
If a rootkit is found, reinstall. Sorry.
- Steve
On Wed, 13 Jun 2007, gordongoldin at aim.com wrote:
> Date: Wed, 13 Jun 2007 14:16:31 -0400
> From: gordongoldin at aim.com
> Reply-To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
> <lug at lug.boulder.co.us>
> To: lug at lug.boulder.co.us
> Subject: [lug] intrusion
>
>
> There was a funny UID - easypwn.
>
> Changed the passwd, later saw:
>
> easypwn tried to get in, failed, then another "don't know who it is userID" mailmn got on from same IP.
> The easypwn tried to get in again and logged in successfully.
>
> Looking around, I saw:
> ?...porn.zip in a temp file
>
>
>
> Due to powers that be, I can't just shut this down.
>
>
>
> Has anyone seen something like this before?
> (Hoping this is something less than a rootkit.)
>
>
>
> What's the short list of cleaning procedures/lockdowns while taking this machine out of service?
> ________________________________________________________________________
> Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection.
>
--
EMAIL: (h) steve at badcheese.com WEB: http://badcheese.com/~steve
More information about the LUG
mailing list