You also might try booting the system (off the network) with a distro like P.H.L.A.K. or FIRE. I know there are a couple other forensic boot distros, but those are the two I've used most. Any other good forensic distros out there? On 3/22/06, Dave Carlson <thecubic at thecubic.net> wrote: > > On Wednesday 22 March 2006 09:55, Loren H. Burlingame wrote: > > I recently noticed that a system I am responsible for was sending out > > a bunch of spam messages. I logged into it and sure enough it was a > > cracked user account which was responsible. > > Unplug the network cable, reboot with a utility CD, make a backup image > (with > dd/tar/whatever) onto another media, and reload from system disks. > > > I immediately locked down SSHD to certain users with strong passwords > > (should have done this before, I know), killed the offending processes > > and looked for replaced executables. > > If they've gotten root (which they may have), going through ssh is a > burden. > They may have installed a rootkit and can still get what they want. > > > Fortunately, the "hacker" (more like script kiddie) was not able to > > get access to root by the look of it. Also they managed to not delete > > their .bash_history file. > > Never trust log files when a compromise has happened, unless they're > remotely > captured onto a secured host. Even then they can be trusted only up to > the > compromise. > > Dave Carlson > > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > -- - G. Scott Walters http://www.apt518.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20060322/1f9f1be0/attachment.htm