On Fri 16 Sep 2005 09:50:36 NZST +1200, Nick Rout wrote: > I am embarrassed to say that my home system has been hacked into
You mean logged into? ;( > I then grepped my auth.log (and the copies that had been log rotated) > for root logins and discovered that there had been two on the same day They didn't bother to delete their log entries? How unprofessional. > I thought I had better start taking a look around and tried to emerge > chkrootkit Compiling chkrootkit on a cracked box? Don't waste your time. > chkrootkit reported nothing untoward If it reports "infected" you know you've had it. If it reports nothing, you know nothing!!! > I am now worried that it is extremely likely that something has been > compromised Don't kid yourself. You have a reinstall job for this weekend. If you want to do any forensics on it, you'll need a copy of the entire hard disk. You can either take the disk out and copy it on another machine, or try booting a rescue system. Of course after a real hacker you'd be sending the motherboard back to the manufacturer... When using a rescue system, do not mount the disk, use dd to copy it. If you absolutely have to, mount noexec. Running any binary from the infected disk once means your rescue system is history too. I've seen it. Of course if you don't have another computer with a disk big enough to hold the entire bad disk once, much better twice, you have a problem. > But this > weekend I have the choice of doing further tests, or doing a complete > re-install (/home is on a separate partition). What do people recommend? Both!!!! > I guess the real concern is how they managed to log in in the first > place. Work out how they snooped your root password. Your bigger worry are all the other machines you're using, not the one which you know has had it. Volker PS Good luck :( -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
