[97921] in RedHat Linux List
assistance to track a break in
daemon@ATHENA.MIT.EDU (Pete)
Thu Nov 5 19:57:59 1998
From: "Pete" <plaven@idl.net.au>
To: redhat-list@redhat.com
Date: Fri, 6 Nov 1998 11:58:48 +1100
Reply-to: plaven@idl.net.au
Resent-From: redhat-list@redhat.com
Hi everyone,
Well I've learnt a pretty good lesson in the last few days.. trust no
one.
I have setup my linux box for ip-masq and wasn't too concerned
with security. I fugured that there were bigger targets to keep
these poeple busy. It turns out that this isn't the case. At least as
far as I can figure.
Here's what I have found so far:
1. My /var/log/messages file stops at the 4th of november wtih this
line:
Nov 4 23:39:37 piglet rz[12656]: clean/ZMODEM: 145 Bytes, 44
BPS
I had run tail -f on this log file andit had been running fine until the
5th.. it was only becuase I wasn't careful that I hit ^C that stopped
it. Running the commandline again showed me this anomoly.
I would say that someone has broken in and has now sent a file to
the system of this size, yet trying to find it has proven fruitless.
2. who no longer shows me any external logins ie when I telnet
from the win95 box it doesn't show up.
3. /var/log/messages hasn't been written to since that last line,
hence I suspect that syslogd isn't running, but shows up in the ps
aux.
4. my login prompt has changed, and I hadn't changed it.
I'm sure there are a number of things here that has been touched or
changed, the dates seem to be set ok, ie nothing looks unusual
about them.
Obviously this person would now have root access, but if they are
smart they will have created another user as a backup no? I guess
searching the passwd file for any account with root access would
be the next thing to check.
Also, how would I be sure that once checked and rectified
everything that the infiltrator is gone for good? I could just re-install
everything and be done with it, this time setting up much tighter
security, but then I wouldn't learn anything from this.
Any and all assiatance is appreciated, please repond to my email
address to as it will be read quicker.
Pete
In a world with out fences, who needs Gates?
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.