this don't look good

[adler at stephenadler.com (Stephen Adler)]

AAAAAHHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!

oh god....

Thanks for the advice... looks like I've got a big job ahead of me...

On Wed, 2006-01-25 at 08:02 -0500, Christopher Schmidt wrote:
> On Wed, Jan 25, 2006 at 07:45:56AM -0500, Stephen Adler wrote:
> > guess what..... I've just issued a last -a on my PC and look what came
> > up... a bunch of people have broken into my root account. Any
> > suggestions as to how I should proceed?
> 
> Format the drive. Reinstall. Restore from backups.
> 
> (That would be ideal, anyway.)
> 
> I'm presuming this is a system you can't just take off the net / turn
> off ssh. If it is such a system, do that now. Next, start killing all
> those processes: they look like they're probably attempting to crack
> other machines. 
> 
> Assuming it needs to stay on the net, and ssh needs to stay open, block
> root logins. sshd_config: PermitRootLogin no . This won't stop them for
> long, most likely, but it might get you a little farther.
> 
> How soon can you get the data here off to another machine, and format
> this one? That should be the first priority: If it needs to be slightly
> longer than is absolutely neccesary, do the above steps first.
> 
> In my limited experience with this, the (cr|h)acker replaced most of
> /bin/ with versions that were compromised and behaved oddly (although I
> didn't take the time to investigate what was different about them).
> 
> In case you didn't get the message yet, you need to reformat and
> reinstall if you want any hope of using the box with any confidence of
> security or protection again.
>