Complete.Org: Mailing Lists: Archives: discussion: May 2001:
[aclug-L] Re: I've been hacked
Home

[aclug-L] Re: I've been hacked

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: <discussion@xxxxxxxxx>
Subject: [aclug-L] Re: I've been hacked
From: "John Alexander" <johnalexander@xxxxxxxxxxx>
Date: Fri, 18 May 2001 17:17:45 -0500
Reply-to: discussion@xxxxxxxxx

Yep, you've had a root kit dropped.
http://www.whitehats.com/library/worms/lion/ for more details. I'm in the
process of rebuilding my entire hosting mechanism, since it hit every
machine on my network (I know, I know, I should have kept up with the
updates).

ja

-----Original Message-----
From: discussion-bounce@xxxxxxxxx [mailto:discussion-bounce@xxxxxxxxx]On
Behalf Of Bruce Bales
Sent: Friday, May 18, 2001 4:24 PM
To: discussion@xxxxxxxxx
Subject: [aclug-L] I've been hacked



I think I have my firewall set up, but am still trying to refine it.
Going thru "Securing and Optimizing Linux," I got to the chapter on
Unusual or Hidden files.  I ran the find / -nouser -o -nogroup on the
firewall box and it found two hidden directories  in /usr/src -  .puta and
.usd.  These directories had a number of files, (13 altogether) some of
them hidden.  Files named linsniffer, sense, logclear and others.  One
file contained my roadrunner password in the clear - several times.

Most of the files are owned by root, but some by 834.  All are dated April
22 or April 23.  One of the files says "This program is useful for sorting
the output of linsniffer."  I did a search on linsniffer on google and
yes, it's a hacker's program.

I tried to rename the directories, but I can't.  I hesitate to delete them
without knowing what I am up against.  Any suggestions?  Other than change
my road runner password.  Can I learn anything from these programs?  Do I
have to reload the whole system?

bruce

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]