You also might try booting the system (off the network) with a distro like
P.H.L.A.K. or FIRE. I know there are a couple other forensic boot distros,
but those are the two I've used most.  Any other good forensic distros out
there?

On 3/22/06, Dave Carlson <thecubic at thecubic.net> wrote:
>
> On Wednesday 22 March 2006 09:55, Loren H. Burlingame wrote:
> > I recently noticed that a system I am responsible for was sending out
> > a bunch of spam messages. I logged into it and sure enough it was a
> > cracked user account which was responsible.
>
> Unplug the network cable, reboot with a utility CD, make a backup image
> (with
> dd/tar/whatever) onto another media, and reload from system disks.
>
> > I immediately locked down SSHD to certain users with strong passwords
> > (should have done this before, I know), killed the offending processes
> > and looked for replaced executables.
>
> If they've gotten root (which they may have), going through ssh is a
> burden.
> They may have installed a rootkit and can still get what they want.
>
> > Fortunately, the "hacker" (more like script kiddie) was not able to
> > get access to root by the look of it. Also they managed to not delete
> > their .bash_history file.
>
> Never trust log files when a compromise has happened, unless they're
> remotely
> captured onto a secured host.  Even then they can be trusted only up to
> the
> compromise.
>
> Dave Carlson
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
>
>
>


--
-
G. Scott Walters
http://www.apt518.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20060322/1f9f1be0/attachment.htm