this don't look good
Christopher Schmidt
crschmidt at crschmidt.net
Wed Jan 25 08:02:47 EST 2006
On Wed, Jan 25, 2006 at 07:45:56AM -0500, Stephen Adler wrote:
> guess what..... I've just issued a last -a on my PC and look what came
> up... a bunch of people have broken into my root account. Any
> suggestions as to how I should proceed?
Format the drive. Reinstall. Restore from backups.
(That would be ideal, anyway.)
I'm presuming this is a system you can't just take off the net / turn
off ssh. If it is such a system, do that now. Next, start killing all
those processes: they look like they're probably attempting to crack
other machines.
Assuming it needs to stay on the net, and ssh needs to stay open, block
root logins. sshd_config: PermitRootLogin no . This won't stop them for
long, most likely, but it might get you a little farther.
How soon can you get the data here off to another machine, and format
this one? That should be the first priority: If it needs to be slightly
longer than is absolutely neccesary, do the above steps first.
In my limited experience with this, the (cr|h)acker replaced most of
/bin/ with versions that were compromised and behaved oddly (although I
didn't take the time to investigate what was different about them).
In case you didn't get the message yet, you need to reformat and
reinstall if you want any hope of using the box with any confidence of
security or protection again.
--
Christopher Schmidt
Web Developer
More information about the Discuss
mailing list