[lug] i got hacked
Ed Hill
ed at eh3.com
Thu Apr 18 16:09:09 MDT 2002
On Thu, 2002-04-18 at 15:44, j davis wrote:
>
> so, netstat says i have something listening on 25897...what should i do?!
> never benn hacked before....i already turned off ftp and turned on tcp
> wrappers.
I'd:
- backup all user & applications data
- wipe the machine clean
- re-install (and I recommend upgrade to RH 7.2)
- use a firewall!
As a quick fix, you can use the RPM database in conjunction with find to
get some idea of what has been modified and/or added. The RPM commands
will look something like:
rpm -qa | xargs rpm -V
which will give you a list of all modified files and *how* they've been
changed. Similarly, you can use find to list all files that have been
added/modified since the time the machine was cracked. But note that
the RPM method *ONLY* works if the cracker didn't mess with the RPM
database, which is unlikely but within the realm of possibility.
In general, its a good idea to wipe everything and start over since it
is quite difficult (impossible?) to prove that you have completely
removed all the back-doors or other junk that got installed.
hth,
Ed
--
Edward H. Hill III, PhD
Post-Doctoral Researcher | Email: ed at eh3.com, ehill at mines.edu
Division of ESE | URL: http://www.eh3.com
Colorado School of Mines | Phone: 303-273-3483
Golden, CO 80401 | Fax: 303-273-3311
Key fingerprint = 5BDE 4DA1 66BE 4F7B BC17 3A0C 932B 7266 1E76 F123
More information about the LUG
mailing list