On Sat, 13 Mar 1999, Don Erickson wrote: > Somebody (through jhb60.jaring.my) wandered into my system, set up a user > account for themselves and set up a couple of programs, eggdrop and smurf.
Typically this is done by "script kiddies" who aren't particularly good computer users, but they take scripts written by other people and use them to break into systems. Then they typically use a "rootkit" to get root access and replace files, just as you've seen. "ls" is usually the first one they hack. They also replace system demons and so forth; probably there are now several backdoors into your system that don't use passwords at all. Check out www.rootshell.com, they have plenty of info and rootkits. They also have some information on securing your system. At this point, you can't trust your system. You *might* be able to restore from your last complete backup, if you are *sure* you know when you were cracked. More likely, you'll have to save what data files you can and then reinstall from trusted media, like a CD-ROM. Obviously, don't do this while your machine is hooked to the net. Examine carefully any other machines yours is hooked up to, e.g. by Ethernet. Don't put your system back on the net until you are reasonably confident you've closed the more common holes. Sorry, it sucks but that's the only way to be sure. If you want some revenge, you can try reporting to the sysadmins of the originating system, if you can actually identify it. :-/ Sincerely, Ray Ingles (248) 377-7735 [EMAIL PROTECTED] "Engineering is like having an 8 a.m. class and a late afternoon lab every day for the rest of your life." - Anonymous