On Wednesday 22 March 2006 09:55, Loren H. Burlingame wrote: > I recently noticed that a system I am responsible for was sending out > a bunch of spam messages. I logged into it and sure enough it was a > cracked user account which was responsible. Unplug the network cable, reboot with a utility CD, make a backup image (with dd/tar/whatever) onto another media, and reload from system disks. > I immediately locked down SSHD to certain users with strong passwords > (should have done this before, I know), killed the offending processes > and looked for replaced executables. If they've gotten root (which they may have), going through ssh is a burden. They may have installed a rootkit and can still get what they want. > Fortunately, the "hacker" (more like script kiddie) was not able to > get access to root by the look of it. Also they managed to not delete > their .bash_history file. Never trust log files when a compromise has happened, unless they're remotely captured onto a secured host. Even then they can be trusted only up to the compromise. Dave Carlson -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20060322/e59cae76/attachment.pgp