Look at /var/log/xferlog and look in /home/ftp and see if there's any extra directories. If they knew what they were doing they would have removed the extra directories that got created and wiped the log, but it's usually some script kiddie who has no clue what he's doing. If the MKDIR's are logged, you'll be able to tell where they were coming from. Hopefully they were dumb enough to do it from their own machine. If you can find their IP, you'll want to notify the owner of that IP block because some of their machines may have been compromised. Also, CERT has a nice little article somewhere about rootkits and finding if they installed one. Some have config files hidden in /dev that will give away the attackers IP. If you're running Bind older than 8.1.2, they could've used the IXFR exploit. Look in the directory that holds your zone files for a directory called ADMROCKS/. Also check your /etc/inetd.conf and see if they appended anything to it. Jay Austad Network Administrator CBS Marketwatch -----Original Message----- From: Adam Maloney [mailto:adamm at sihope.com] Sent: Sunday, October 08, 2000 2:48 PM To: tclug-list Subject: Re: [TCLUG:22365] Hacked $10 says it's ftpd. Adam Maloney Systems Administrator Sihope Communications On Sun, 8 Oct 2000, Brian wrote: > My system was hacked last night, I was shut down from 10 pm until about > 9 this morning, when I rebooted I had a new account called pbadmin on my > login screen, before I just blow this acount away I would like to find > out how he got into my system. Any suggestions on how to back track > him? > I'm running caldera 2.4edesktop, with a dsl connection through a cisco > 675 and a netgear RT311 router. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org > For additional commands, e-mail: tclug-list-help at mn-linux.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org For additional commands, e-mail: tclug-list-help at mn-linux.org --------------------------------------------------------------------- To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org For additional commands, e-mail: tclug-list-help at mn-linux.org