Subject: Re: Was I hacked?
From: Maurice van Steensel (mvanstee@baserv.uci.kun.nl)
Date: Thu Aug 17 2000 - 16:23:53 MDT
On 17-08-2000 at 13:34, is@isaka.net (Israel Alvarez) wrote:
>
> When I telnetted into my YDL server this morning, I was greeted by this:
>
> "Last login: Wed Aug 16 11:31:58 from
> ip-64-63-37-99.reverse.mobilenetics.com"
>
> no one but me should be accessing this machine, and I don't recognize the
> domain or the ip (I assume it is 64.63.67.99).
>
> I did a find / -mtime 1 to find files modified in the last day, and saw
> nothing suspicious, but I don't know if there's a way of spoofing that. Any
> suggestions? Should I take my server down for a few days? Is there some
> software I can install to block/track possible attacks? Or is this even
> really a cracker?
>
> I don't want my machine to wind up being part of someone's DDOS attack.
> --
>
> Israel Alvarez
> is at isaka dot net
> propellerhead without portfolio
> isaka studio
> "The crimes of eBay are a disgrace to its pig latin heritage"
Yep
Looks like the possibility exist.It may be innocent but then again, it may be
not. A good cracker would have left no trace at all so my guess would be kiddie
with a rootkit.
Lots of ways to spoof everything and change logs. Take the machine off the net.
My suggestion would be to back up your work, re-install everything (I'm serious)
and then configure your system properly (see imaclinux.net for a rundown, try
searching for "security". DO NOT enable any service that you don't need, install
ssh, portsentry and TripWire or related tool. Check your stuff. Modification
dates can be changed, TripWire computes strong checksums to circumvent that
problem. Any questions - we'll be happy to answer those as best we can.
Maurice
This archive was generated by hypermail 2a24 : Thu Aug 17 2000 - 16:27:56 MDT