"Dzuy M. Nguyen" wrote: > > Yeah, I checked the /var/log and they did delete the log files. > > I started noticing the computer making a lot of noises, thought it was > a bad fan. It got worse and worse. I didn't think anything of it. Then I > couldn't get access to it via telnet, so I tried to get on locally. I > had the XFree86 logon screen going, and I noticed new users that I'd > never seen before, i.e. user names "dead", "a", "x", "z". > > I did some prying around, and found this person that cracked my machine > gave these were "root" users. Anyways, that's what happened.
It's probably best that you rebuild the machine since it may be impossible to find everything that has been done to it. I would suggest installing Tripwire on the newly installed machine - and do it immediately after installation. Tripwire is a tool that performs checksums on the files on the system so changes can be easily detected. Make sure you are running the absolute minimum of services that you require. If a service is not active, security problems with that service should not affect you. Use secure alternatives to services, for example: install and use ssh instead of telnet (disable telnet). Setup your tcpwrappers conf files (hosts.allow and hosts.deny) to restrict the use of active services. Use ipchains / ipfwadm / linux-2.4 equiv (ipnatctl?) to further restrict access. Make sure you know exactly what services you have installed and follow the security alerts. Linux Weekly News (http://lwn.net/) security section once a week is a good place to start. It also has links to other security related sites. Debian announces security alerts and fixes for Debian GNU/Linux on its web page (http://www.debian.org). This is just a rough guide, but should be a good start. Also, look on the LDP (http://www.linuxdoc.org) for security related documentation. Matthew
