Re: i am hacked atm.. what's better thing to do?

To: Livia Admin <kreaper@livia.netfoo.org>
Cc: debian-user@lists.debian.org
Subject: Re: i am hacked atm.. what's better thing to do?
From: Damian Menscher <menscher@uiuc.edu>
Date: Mon, 6 Nov 2000 12:50:39 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.21.0011061242190.21545-100000@intellx1.physics.uiuc.edu>
Reply-to: Damian Menscher <menscher@uiuc.edu>
In-reply-to: <[🔎] 20001106164313.A1773@livia.netfoo.org>

On Mon, 6 Nov 2000, Livia Admin wrote:

> ey guys.. pls reply to my real email add cause i'm not in the lists
> 
> i think i'm compromised. cause when i do netstat i see a telnet
> connection established to my box for almost 1 hour. i do ps but see
> only 'in.telnetd'. is there any way that i will know what he is
> doing before i'll disconnect him?

A lot depends on whether you want to watch/trace/prosecute/learn
from/annoy him, or if you just want him off your system.

What I would do (since I like to do learn from the intrusions), is to
follow him around for a while.  At minimum, find out what IP address he
is coming from and how he got into your machine.

A simple packet sniffer for Debian can be obtained through `apt-get
install sniffit`, and then run `sniffit -I`.  This will at least tell
you the open connections to your machine and the IP addresses.  If you
want to see what he's doing, run a packet sniffer (tcpdump, though
sniffit can probably do it as well) to sniff packets to/from his IP.

The syslog is probably the best place to find how he got into your
system.  But it might have been tampered with.  If you think it's a
fairly recent attack, look around your directories a bit with an `ls
-lart` to show all recently-changed entries.  Script kiddie tools are
easily found this way, though better hackers can hide their tracks.

Finally, don't trust the output of ps (it may be one that hides their
tracks), login could have been replaced to have a backdoor and log your
passwords, etc.  You might run nmap against your own machine to check if
any additional ports were enabled.

Once figure out how your machine was compromised (watching other
machines get attacked from your own may give a clue here) then check the
IP he's coming from and see if it was compromised in the same way.  If
so, notify the owner.  If not, then this is the hacker's home box and
you should contact his ISP (or the authorities).

Damian Menscher
-- 
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--

Reply to:

Follow-Ups:
- Re: i am hacked atm.. what's better thing to do?
  - From: Phil Brutsche <pbrutsch@tux.creighton.edu>

References:
- i am hacked atm.. what's better thing to do?
  - From: Livia Admin <kreaper@livia.netfoo.org>

Prev by Date: Re: latex question
Next by Date: Re: Idea: Master Debian FAQ (newbie-centric)
Previous by thread: i am hacked atm.. what's better thing to do?
Next by thread: Re: i am hacked atm.. what's better thing to do?
Index(es):
- Date
- Thread