I had someone get into one of my machines when I stupidly left telnet running and an email from the system much like yours was what first alerted me to it. The kiddie had installed a new ls which didn't allow any switches. I imagine '-l' is needed for the suid check, so it fails and reports all the files as changing. I ran chkrootkit and it turned up nothing. The kiddie had also replaced several other programs (login and ps were among them) and turned off syslog. I'm lucky to have several other systems, so i was able to copy over known original versions of the system tools that were changed and get the machine secured before moving all the accounts and reinstalling.

Bad move, backup important data and reinstall your host, you cannot tell which applications are affected or not (just spotted the obvious ones).

If you intend to keep it running, well thats a security incident imho.

Please consider it.

I think you misread my message. Did "moving all the accounts and reinstalling" imply that I didn't do a reinstall? I simply copied over known original programs so I could make my backup and do some postmortem before reinstalling the system. As you say, who knows what other program were changed. I wanted to use known good binaries.

Clint Gilders <[EMAIL PROTECTED]>
Director of Technology Services
OnlineHobbyist.com, Inc.
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to