[linux-help] Re: Security Issues

["Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>]

> -----Original Message-----
> From: linux-help-bounce@xxxxxxxxx [mailto:linux-help-bounce@xxxxxxxxx]On
> Behalf Of John Alexander
> Sent: Friday, May 04, 2001 1:30 PM
> To: Linux-Help
> Subject: [linux-help] Security Issues
>
>
> I just recieved an interesting piece of e-Mail from on eof the sysadmins at
> my DSL provider, telling me that somebody has hijacked one of my machines. I
> have identified the processes that they were using to run a port scan
> against other networks, and have identified the userid affiliated with the
> files used to drop the payload onto my machine. I am not able to find that
> userid listed in either the passwd, shadow, or groups file. This being the
> case, where should I look now? The group assigned to the files is 'wheel',
> so I was wondering if I could just cut that out of the group file?

This sounds suspiciously like someone has dropped a root kit on you.  If that's
the case, then there are likely a number of compromised programs on your
machine, and you won't be able to tell by the logs that anything has happened.
The advice that I have always seen given in these cases is to wipe your drives
and reinstall.  Then make sure you have all the latest security patches applied
when you rebuild it.

Alternately, you can reinstall the base packages and go on safari for whatever
else may have been compromised.  Either way, it's not going to be much fun.

--dwh

---
Dale W Hodge - dwh@xxxxxxxxxxxxxxxx
Secretary & Website Maintainer - info@xxxxxxxxx
Air Capital Linux User's Group  (ACLUG)
---






-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi