On Fri 16 Sep 2005 09:50:36 NZST +1200, Nick Rout wrote:

> I am embarrassed to say that my home system has been hacked into

You mean logged into?  ;(

> I then grepped my auth.log (and the copies that had been log rotated)
> for root logins and discovered that there had been two on the same day 

They didn't bother to delete their log entries? How unprofessional.

> I thought I had better start taking a look around and tried to emerge
> chkrootkit

Compiling chkrootkit on a cracked box? Don't waste your time.

> chkrootkit reported nothing untoward

If it reports "infected" you know you've had it.
If it reports nothing, you know nothing!!!

> I am now worried that it is extremely likely that something has been
> compromised

Don't kid yourself. You have a reinstall job for this weekend.

If you want to do any forensics on it, you'll need a copy of the entire
hard disk. You can either take the disk out and copy it on another
machine, or try booting a rescue system. Of course after a real hacker
you'd be sending the motherboard back to the manufacturer...

When using a rescue system, do not mount the disk, use dd to copy it. If
you absolutely have to, mount noexec. Running any binary from the
infected disk once means your rescue system is history too. I've seen
it. Of course if you don't have another computer with a disk big enough
to hold the entire bad disk once, much better twice, you have a problem.

> But this
> weekend I have the choice of doing further tests, or doing a complete
> re-install (/home is on a separate partition). What do people recommend?

Both!!!!

> I guess the real concern is how they managed to log in in the first
> place.

Work out how they snooped your root password. Your bigger worry are all
the other machines you're using, not the one which you know has had it.

Volker

PS Good luck :(

-- 
Volker Kuhlmann                 is possibly list0570 with the domain in header
http://volker.dnsalias.net/             Please do not CC list postings to me.

Reply via email to