TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG] [TCLUG:22365] Hacked



Quoting Brian (tobytoo@black-hole.com):
> My system was hacked last night,  I was shut down from 10 pm until about
> 9 this morning, when I rebooted I had a new account called pbadmin on my
> login screen, before I just blow this acount away I would like to find
> out how he got into my system.  Any suggestions on how to back track
> him?
>   I'm running caldera 2.4edesktop, with a dsl connection through a cisco
> 675 and a netgear RT311 router.

Do you run tripwire?

Do you have *.deug in your syslog.conf being logged somewhere?

Do you run swatch?

Do you have swatch print to hardcopy any "unusual" things?

If they are good and you only syslog to your local machine and no hard copy more
then likely all traces of the hack go erased.


-- 
Bob Tanner <tanner@real-time.com>       | Phone : (612)943-8700
http://www.mn-linux.org                 | Fax   : (612)943-8500
Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9