Re: Was I hacked?


Subject: Re: Was I hacked?
From: herb (herb@kinetekpharm.com)
Date: Fri Aug 18 2000 - 11:21:52 MDT


Being a relative newbie myself, I'm not sure how much this will help, but I
suggest installing and configuring tripwire on
your system. While doing so, search for any odd looking filenames both
binary and scripts. The attacker could have left
Trojans behind which may circumvent your newer security measures. For
example, changing your passwords may not stop
outbound information the Trojan might send back. Then again, I'm not sure
if this is even possible, though I think it is. Perhaps with the use of an
entry with crond? Or just a time command?

Herbert Lo

Kinetek Pharmaceuticals Inc.
Systems Programming Assistant

At 11:01 AM 8/17/00 -0700, you wrote:
>At 1:34 PM -0400 8/17/00, Israel Alvarez wrote:
>
>>I did a find / -mtime 1 to find files modified in the last day, and saw
>>nothing suspicious, but I don't know if there's a way of spoofing that.
>
>Sure is.
>
>> Any
>>suggestions? Should I take my server down for a few days? Is there some
>>software I can install to block/track possible attacks? Or is this even
>>really a cracker?
>
>Assume you've been hacked. Start by changing all your passwords, and check
>EVERYTHING. manually look at all of your admin files for things that look
>different. And while it's a little late now, grab and install a copy of
>this <http://www.cs.tut.fi/~rammer/aide.html> to keep an eye out for
>changed checksums and the like -- you can't trust dates against a good (or
>even adequate) cracker.
>
>if you aren't convinced you're okay, back up your personal files and
>re-install from the distribution, and evaluate every thing you add back
>from the backups to see whether it could be hacked and re-open your system....
>
>Be paranoid. it's a lot of work, but better than the alternatives.
>
>--
>Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui@plaidworks.com)
>Apple Mail List Gnome (mailto:chuq@apple.com)
>
>And they sit at the bar and put bread in my jar
>and say 'Man, what are you doing here?'"



This archive was generated by hypermail 2a24 : Fri Aug 18 2000 - 11:18:18 MDT