 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Wed, Jan 25, 2006 at 07:45:56AM -0500, Stephen Adler wrote: > guess what..... I've just issued a last -a on my PC and look what came > up... a bunch of people have broken into my root account. Any > suggestions as to how I should proceed? Format the drive. Reinstall. Restore from backups. (That would be ideal, anyway.) I'm presuming this is a system you can't just take off the net / turn off ssh. If it is such a system, do that now. Next, start killing all those processes: they look like they're probably attempting to crack other machines. Assuming it needs to stay on the net, and ssh needs to stay open, block root logins. sshd_config: PermitRootLogin no . This won't stop them for long, most likely, but it might get you a little farther. How soon can you get the data here off to another machine, and format this one? That should be the first priority: If it needs to be slightly longer than is absolutely neccesary, do the above steps first. In my limited experience with this, the (cr|h)acker replaced most of /bin/ with versions that were compromised and behaved oddly (although I didn't take the time to investigate what was different about them). In case you didn't get the message yet, you need to reformat and reinstall if you want any hope of using the box with any confidence of security or protection again. -- Christopher Schmidt Web Developer
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
