Re: I've been cracked! (hamm, 2.0.35)
On Sat, 13 Mar 1999, Don Erickson wrote:
> Somebody (through jhb60.jaring.my) wandered into my system, set up a user
> account for themselves and set up a couple of programs, eggdrop and smurf.
Typically this is done by "script kiddies" who aren't particularly good
computer users, but they take scripts written by other people and use them
to break into systems.
Then they typically use a "rootkit" to get root access and replace files,
just as you've seen. "ls" is usually the first one they hack. They
also replace system demons and so forth; probably there are now
several backdoors into your system that don't use passwords at all. Check
out www.rootshell.com, they have plenty of info and rootkits. They also
have some information on securing your system.
At this point, you can't trust your system. You *might* be able to
restore from your last complete backup, if you are *sure* you know when
you were cracked. More likely, you'll have to save what data files you can
and then reinstall from trusted media, like a CD-ROM. Obviously, don't do
this while your machine is hooked to the net. Examine carefully any other
machines yours is hooked up to, e.g. by Ethernet.
Don't put your system back on the net until you are reasonably confident
you've closed the more common holes. Sorry, it sucks but that's the only
way to be sure. If you want some revenge, you can try reporting to the
sysadmins of the originating system, if you can actually identify it. :-/
Sincerely,
Ray Ingles (248) 377-7735 ray.ingles@fanucrobotics.com
"Engineering is like having an 8 a.m. class and a late afternoon lab
every day for the rest of your life." - Anonymous
Reply to: