possible hacking?

[richb at pioneer.ci.net (Rich Braun)]

Stephen Adler <adler at stephenadler.com> wrote:
> a bunch of people have broken into my root account. Any
> suggestions as to how I should proceed?

Unfortunately the person who recommended that you reformat the hard drive and
reinstall from distribution is right.  Unless you devote a lot of time to
figuring out what backdoors might have been installed, and have a lot of
expertise to know what you're looking for, you probably won't have confidence
that the hackers have been locked out.

An example of a backdoor on your system is the program "./f" shown in the
process listing.  You could search the system for directories containing that
filename and remove it.  But undoubtedly there has been additional meddling.

Once you have addressed the break-in to your satisfaction, try running a trip
wire program like Samhain (http://la-samhna.de/samhain/).  It will tell you
the details of any changes to system files.  Few hackers would have the time
and savvy to defeat it though I'm sure it's possible.

There are a variety of countermeasures you can install to prevent future
attempts but the general rule is to disable all unnecessary applications.  If
you don't use sshd to get access from outside:  install a firewall and block
port 22.  If you don't need to compile programs, deinstall gcc or render it
inoperative.

I also have discovered there is more "security in obscurity" than many experts
think.  By moving sshd to a high-numbered port (instead of 22) I see no
break-in attempts at all on my system--over a period of years--vs the
more-typical several dozen per day if you leave port 22 visible.

Eventually someone will get into my system, most likely.  A security hole will
be found and I'll be lazy about updating my mail server or Apache or whatever.
 But at least I'll be able to track down what the hacker does.

-rich