this don't look good
Stephen Adler
adler at stephenadler.com
Wed Jan 25 08:15:33 EST 2006
AAAAAHHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!
oh god....
Thanks for the advice... looks like I've got a big job ahead of me...
On Wed, 2006-01-25 at 08:02 -0500, Christopher Schmidt wrote:
> On Wed, Jan 25, 2006 at 07:45:56AM -0500, Stephen Adler wrote:
> > guess what..... I've just issued a last -a on my PC and look what came
> > up... a bunch of people have broken into my root account. Any
> > suggestions as to how I should proceed?
>
> Format the drive. Reinstall. Restore from backups.
>
> (That would be ideal, anyway.)
>
> I'm presuming this is a system you can't just take off the net / turn
> off ssh. If it is such a system, do that now. Next, start killing all
> those processes: they look like they're probably attempting to crack
> other machines.
>
> Assuming it needs to stay on the net, and ssh needs to stay open, block
> root logins. sshd_config: PermitRootLogin no . This won't stop them for
> long, most likely, but it might get you a little farther.
>
> How soon can you get the data here off to another machine, and format
> this one? That should be the first priority: If it needs to be slightly
> longer than is absolutely neccesary, do the above steps first.
>
> In my limited experience with this, the (cr|h)acker replaced most of
> /bin/ with versions that were compromised and behaved oddly (although I
> didn't take the time to investigate what was different about them).
>
> In case you didn't get the message yet, you need to reformat and
> reinstall if you want any hope of using the box with any confidence of
> security or protection again.
>
More information about the Discuss
mailing list