Re: cracked? "rm uses obsolete (PF_INET,SOCK_PACKET)"

[Jamie Lawrence <debian@jal.org>]

On Sat, 14 Jun 2003, eyem wrote:

> Hello,
> 
> I think my box has been compromised...... its my first time and it is a 
> rather unpleasant experience!

Yes, it sounds as if you have been, and yes, it is not fun.

I sympathize (only happened to me once, which was more than enough).
 
> I found some stuff in /dev, hdx1 and hdx2 .... is that normal?

Hard to say. Are they device files? If they aren't, investigate them to
try to figure out what's going on (get them to a known good machine, run
strings on them, for starters. Try to find commonalities with known
rootkits. If you have the skill, disassemble them. If not, run them in a
sandbox on a machine you can afford to rebuild and see what they do.).
 
> Anyway, I have no idea where to go from here.
> I dont know if it will be just a couple of things to fix up, or if I should 
> toast my whole system: major major hasstle)

Best practice is to pull the network plug and investigate how the
attacker got in. Then, redeploy with that problem (and any other problem 
you found during forensics) fixed.

Frequently in the real world, that isn't possible. Then you have to fall
back on a reinstall and restore from backups, and watch what happens in
from an extremely paranoid stance.

You really don't want to attempt a cleanup, because you never know if
you found every potential trap, so you can never trust the machine again.
Not the sort of thing you want on your network.

Good luck... The only good thing about being compromised is that it
makes you more paranoid about being on the net. 

-j

-- 
Jamie Lawrence                                        jal@jal.org
A computer without a Microsoft operating system is like a dog
without bricks tied to its head.