On Wednesday 22 March 2006 09:55, Loren H. Burlingame wrote:
> I recently noticed that a system I am responsible for was sending out
> a bunch of spam messages. I logged into it and sure enough it was a
> cracked user account which was responsible.

Unplug the network cable, reboot with a utility CD, make a backup image (with 
dd/tar/whatever) onto another media, and reload from system disks.

> I immediately locked down SSHD to certain users with strong passwords
> (should have done this before, I know), killed the offending processes
> and looked for replaced executables.

If they've gotten root (which they may have), going through ssh is a burden.  
They may have installed a rootkit and can still get what they want.

> Fortunately, the "hacker" (more like script kiddie) was not able to
> get access to root by the look of it. Also they managed to not delete
> their .bash_history file.

Never trust log files when a compromise has happened, unless they're remotely 
captured onto a secured host.  Even then they can be trusted only up to the 
compromise.

Dave Carlson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20060322/e59cae76/attachment.pgp