RE: Was my system cracked? (retry 2)
hi ya...
just re-installing and rebuilding the new box wont help because...
the hacker got in before... they probably can still get in again
unless something is done differently..
- simple things can prevent it from happening again would
- be to implement all the common things people been saying in
- the lists, faqs, replies, etc
probably the most important thing is backup your user data...religously...
that you can do and control with relative ease....
i guess the trick question....is did that guy get in...or was it just
a failed attempt....
- again some people say check your binaries against the cdrom
installs
have fun
alvin
On Sun, 1 Oct 2000, Jeremy L. Gaddis wrote:
> At first glance, this appears to be an attempt to exploit rpc.statd.
>
> If they *DID* get in, you have no way of knowing what may or may
> not have been modified. I just dealt with a machine about two weeks
> ago that had a very extensive rootkit installed. The only way it was
> noticed that the machine had been compromised was that the admin
> noticed many processes named "tfn-daemon" installed, which, for the
> uninitiated, is the Tribal Flood Network DDoS tools.
>
> Reinstall your system. It sucks, but it's a learning experience.
>
> -jg
>
> --
> Jeremy L. Gaddis <jlgaddis@blueriver.net>
>
> -----Original Message-----
> From: Ron Hale-Evans [SMTP:rwhe@ludism.org]
> Sent: Sunday, October 01, 2000 1:53 PM
> To: debian-user@lists.debian.org
> Subject: Was my system cracked? (retry 2)
>
> [snip]
>
> Sep 30 19:10:53 ludism syslogd: Cannot glue message parts together
> Sep 30 19:10:53 ludism 173
> Sep 30 19:10:53 /sbin/rpc.statd[205]: gethostbyname
> error for
> ^X-?ø^X-?ø^Y-?ø^Y-?ø^Z-?ø^Z-?ø^[-?ø^[-?ø%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêê1¿Î|YâA^PâA^H?¿âA^Dâ^?¿â^A?fÕÄ?^BâY^L?A^Nô?A^H^PâI^DÄA^D^Là^A?fÕÄ?^D?fÕÄ?^E0¿àA^D?fÕ
> Sep 30 19:10:53 ludism «^F/bin«F^D/shA0¿àF^Gâv^LçV^PçN^LâÛ?^KÕÄ?^AÕÄË???
> Sep 30 19:14:01 ludism /USR/SBIN/CRON[32067]: (news) CMD (rnews -U) Sep 30
> 19:14:01 ludism innd: ME time 300548 idle 300544(2) artwrite 0(0) artlink
> 0(0) hiswrite 0(0) hissync 0(3)
>
> So, do you think my machine has been cracked? It looks as though they've
> been trying to cover their tracks, but not doing it very well. If it is a
> crack, what can I do about it apart from wiping the machine and rebuilding
> from the ground up?
>
> Thanks...
>
> Ron Hale-Evans
>
> --
> Ron's Info Closet: Center for Ludic Synergy, Kennexions Glass Bead Game,
> Positive Revolution FAQ, Hexagram-8 I Ching Mailing List, and links...
> Ron Hale-Evans ... rwhe@ludism.org ... <http://www.apocalypse.org/~rwhe/>
> Further up and further in! fnord
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
>
Reply to: