Re: [expert] I've been hacked!

Russ Johnson Sun, 23 Apr 2000 19:11:25 -0700
If you don't know what the files were before, and you don't have a backup, the best
fix will be a clean reinstall.

To prevent it, set up a good firewall.

As extra protection, use something like tripwire to ensure that your files don't
change. The advantage to tripwire is that it can tell you what the files were before
the intrusion.

Russ

Andrew Vogel wrote:

> I woke up this morning to find this email in my system:
>
> Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
> Security Warning: Change in Suid Root files found :
>                 - Added suid root files : /bin/mount
>                 - Added suid root files : /bin/ping
>                 - Added suid root files : /bin/su
>                 - Added suid root files : /bin/umount
>                 - Added suid root files : /sbin/dump
>                 - Added suid root files : /sbin/pwdb_chkpwd
>                 - Added suid root files : /sbin/restore
>                 - Added suid root files : /usr/X11R6/bin/Xwrapper
>                 - Added suid root files : /usr/bin/at
>                 - Added suid root files : /usr/bin/chage
>                 - Added suid root files : /usr/bin/chfn
>                 - Added suid root files : /usr/bin/chsh
>                 - Added suid root files : /usr/bin/crontab
>                 - Added suid root files : /usr/bin/dos
>                 - Added suid root files : /usr/bin/gpasswd
>                 - Added suid root files : /usr/bin/lpq
>                 - Added suid root files : /usr/bin/lpr
>                 - Added suid root files : /usr/bin/lprm
>                 - Added suid root files : /usr/bin/newgrp
>                 - Added suid root files : /usr/bin/passwd
>                 - Added suid root files : /usr/bin/procmail
>                 - Added suid root files : /usr/bin/rcp
>                 - Added suid root files : /usr/bin/rlogin
>                 - Added suid root files : /usr/bin/rsh
>                 - Added suid root files : /usr/bin/sperl5.6.0
>                 - Added suid root files : /usr/bin/suidperl
>                 - Added suid root files : /usr/bin/urpmi
>                 - Added suid root files : /usr/lib/telnetd/login
>                 - Added suid root files : /usr/libexec/pt_chown
>                 - Added suid root files : /usr/sbin/sendmail
>                 - Added suid root files : /usr/sbin/traceroute
>                 - Added suid root files : /usr/sbin/userhelper
>                 - Added suid root files : /usr/sbin/usernetctl
>
> Security Warning: Changes in Suid Group files found :
>                 - Added suid group files : /usr/sbin/sendmail
>
> Security Warning: Change in World Writeable Files found :
>                 - Removed writables files : /tmp/fileUcAjVM
>
> Security Warning: the md5 checksum for one of your SUID files has changed,
>         maybe an intruder modified one of these suid binary in order to put in a
> backdoor...
>                 - Checksum changed files : /usr/bin/suidperl
>
> Security Warning: There is modifications for port listening on your machine :
>                 -  Opened ports : tcp        0      0 *:6000                  *:*
> LISTEN      658/X
>                 -  Opened ports : tcp        0      0 *:1024                  *:*
> LISTEN      651/kdm
>                 -  Opened ports : tcp        0      0 *:10000                 *:*
> LISTEN      586/perl
>                 -  Opened ports : tcp        0      0 *:www                   *:*
> LISTEN      520/httpd
>                 -  Opened ports : udp        0      0 *:xdmcp                 *:*
> 651/kdm
>                 -  Opened ports : udp        0      0 *:10000                 *:*
> 586/perl
>                 - Closed ports  : tcp        0      0 *:www                   *:*
> LISTEN      3244/httpd
>                 - Closed ports  : tcp        0      0 *:10000                 *:*
> LISTEN      1996/perl
>                 - Closed ports  : tcp        0      0 *:6000                  *:*
> LISTEN      660/X
>                 - Closed ports  : tcp        0      0 *:1024                  *:*
> LISTEN      653/kdm
>                 - Closed ports  : udp        0      0 *:10000                 *:*
> 1996/perl
>                 - Closed ports  : udp        0      0 *:xdmcp                 *:*
> 653/kdm
>
> ...I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
> to I prevent it from happening again?
>
> ===========================================================================
> Andrew Vogel: Program Manager at the University of Cincinnati College of
> Pharmacy. Actor, director, dog (JRT) lover, Miata owner, & much, much more!
> My homepage: "http://www.drewvogel.com".         Play I-War, FF7PC, & BC3K!
> Offical BC3K Tester.  Linux!                 "The only way OUT is THROUGH."
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> dug: you da man! you da man!                "Drew Vogel is its own reward."
> ric: isn't "the man" the guy who's always bringing everyone down?
> dug: nope! 'cause YOU da man!!                  Email: [EMAIL PROTECTED]
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Re: [expert] I've been hacked!

Reply via email to
