Subject: Re: Was I hacked?
From: Chuq Von Rospach (chuqui@plaidworks.com)
Date: Thu Aug 17 2000 - 12:01:46 MDT
At 1:34 PM -0400 8/17/00, Israel Alvarez wrote:
>I did a find / -mtime 1 to find files modified in the last day, and saw
>nothing suspicious, but I don't know if there's a way of spoofing that.
Sure is.
> Any
>suggestions? Should I take my server down for a few days? Is there some
>software I can install to block/track possible attacks? Or is this even
>really a cracker?
Assume you've been hacked. Start by changing all your passwords, and
check EVERYTHING. manually look at all of your admin files for things
that look different. And while it's a little late now, grab and
install a copy of this <http://www.cs.tut.fi/~rammer/aide.html> to
keep an eye out for changed checksums and the like -- you can't trust
dates against a good (or even adequate) cracker.
if you aren't convinced you're okay, back up your personal files and
re-install from the distribution, and evaluate every thing you add
back from the backups to see whether it could be hacked and re-open
your system....
Be paranoid. it's a lot of work, but better than the alternatives.
-- Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com) Apple Mail List Gnome (mailto:chuq@apple.com)And they sit at the bar and put bread in my jar and say 'Man, what are you doing here?'"
This archive was generated by hypermail 2a24 : Thu Aug 17 2000 - 12:06:44 MDT