Re: I've been cracked! (hamm, 2.0.35)
In foo.debian-user, you wrote:
> Somebody (through jhb60.jaring.my) wandered into my system, set up a user
> account for themselves and set up a couple of programs, eggdrop and smurf.
> I've not been using encrypted passwords, I understand that there are ways
> to derive the "salt" that the passwd file uses?
The "salt" is simply the first to characters of the password hash.
Assuming you don't use shadow passwords, look in /etc/password at a line:
myusername:eNdOfjsu/dsk:....
The "eN" is the salt, and it should be different for each password entry.
> Anyway, this person hid a few files in some interesting places and even
> replaced my syslogd. Now, when I say "hid a few files", there are files
> that simply don't show up by ls. You can manipulate them but you can't
> see them unless you ls the entire path. For example,
>
> $ ls /usr/lib/fms
>
> returns
>
> /usr/lib/fms
>
> but
>
> $ cd /usr/lib;ls fms
>
> returns nothing.
>
> I have no idea how many files or directories might be hidden this way, nor
> how I can find out. I've obviously changed passwords and disabled
> everything "foreign" that I can find, any suggestions as to what I should
> be doing about this?
A common technique is to replace system commands (ls, ps) with hacked
versions that behave in ways that make it difficult to spot/stop the
intruder, or that provide a backdoor for the intruder to re-enter.
You have been compromised, and you need to reinstall completely.
Some data files can be salvaged, but every program must be replaced.
Investigate using the tripwire package to detect these things in the
future.
-Mitch
--
Any command with less than 48 switches is a Cat in the Hat book.
- E. Charters
Reply to: