Andrew, The solution I use is to assume the worst. Your system has been totally compromised as has every system that trusts it. (Do you use rlogin, rsh or do you have ssh keys laying around on that system?) The first thing you need to do is to grab a complete image of the disk(s) to tape for use in legal procedings. Copy every log file from every system you've got and call your ISP for help on that end. You may want to investigate your legal options as well. My SOP is to completely format every partition, and check for partitions that were added, by the way! Next, I would change every password on every system connected to it. Finally, I would call in a security expert to look at what happened and make suggestions on what to do next. I wouldn't do partial fixes for a major security breech. Leaving user stuff may leave a hacker's back-door in place! -Paul >>> "Brian T. Schellenberger" <[EMAIL PROTECTED]> 04/23/00 10:26PM >>> The easiest & fastest way to fix it is to re-install the O/S (not an upgrade, an install). This might not be a big deal if you have /home and /usr/local on separate partitions and you've not customized elsewhere much and/or if you keep frequent backups, orit might be a big deal. Nothing short of re-installing and restoring from backup is really safe, though. For preventing this in the future, what sort of internet hookup do you have? What sort of firewall setup? What sort of security level are you running? What version of Mandrake? Andrew Vogel wrote: > > I woke up this morning to find this email in my system: > > Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 *** > Security Warning: Change in Suid Root files found : > - Added suid root files : /bin/mount > - Added suid root files : /bin/ping > - Added suid root files : /bin/su > - Added suid root files : /bin/umount > - Added suid root files : /sbin/dump > - Added suid root files : /sbin/pwdb_chkpwd > - Added suid root files : /sbin/restore > - Added suid root files : /usr/X11R6/bin/Xwrapper > - Added suid root files : /usr/bin/at > - Added suid root files : /usr/bin/chage > - Added suid root files : /usr/bin/chfn > - Added suid root files : /usr/bin/chsh > - Added suid root files : /usr/bin/crontab > - Added suid root files : /usr/bin/dos > - Added suid root files : /usr/bin/gpasswd > - Added suid root files : /usr/bin/lpq > - Added suid root files : /usr/bin/lpr > - Added suid root files : /usr/bin/lprm > - Added suid root files : /usr/bin/newgrp > - Added suid root files : /usr/bin/passwd > - Added suid root files : /usr/bin/procmail > - Added suid root files : /usr/bin/rcp > - Added suid root files : /usr/bin/rlogin > - Added suid root files : /usr/bin/rsh > - Added suid root files : /usr/bin/sperl5.6.0 > - Added suid root files : /usr/bin/suidperl > - Added suid root files : /usr/bin/urpmi > - Added suid root files : /usr/lib/telnetd/login > - Added suid root files : /usr/libexec/pt_chown > - Added suid root files : /usr/sbin/sendmail > - Added suid root files : /usr/sbin/traceroute > - Added suid root files : /usr/sbin/userhelper > - Added suid root files : /usr/sbin/usernetctl > > Security Warning: Changes in Suid Group files found : > - Added suid group files : /usr/sbin/sendmail > > Security Warning: Change in World Writeable Files found : > - Removed writables files : /tmp/fileUcAjVM > > Security Warning: the md5 checksum for one of your SUID files has changed, > maybe an intruder modified one of these suid binary in order to put in a > backdoor... > - Checksum changed files : /usr/bin/suidperl > > Security Warning: There is modifications for port listening on your machine : > - Opened ports : tcp 0 0 *:6000 *:* > LISTEN 658/X > - Opened ports : tcp 0 0 *:1024 *:* > LISTEN 651/kdm > - Opened ports : tcp 0 0 *:10000 *:* > LISTEN 586/perl > - Opened ports : tcp 0 0 *:www *:* > LISTEN 520/httpd > - Opened ports : udp 0 0 *:xdmcp *:* > 651/kdm > - Opened ports : udp 0 0 *:10000 *:* > 586/perl > - Closed ports : tcp 0 0 *:www *:* > LISTEN 3244/httpd > - Closed ports : tcp 0 0 *:10000 *:* > LISTEN 1996/perl > - Closed ports : tcp 0 0 *:6000 *:* > LISTEN 660/X > - Closed ports : tcp 0 0 *:1024 *:* > LISTEN 653/kdm > - Closed ports : udp 0 0 *:10000 *:* > 1996/perl > - Closed ports : udp 0 0 *:xdmcp *:* > 653/kdm > > ...I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How > to I prevent it from happening again? > > =========================================================================== > Andrew Vogel: Program Manager at the University of Cincinnati College of > Pharmacy. Actor, director, dog (JRT) lover, Miata owner, & much, much more! > My homepage: "http://www.drewvogel.com". Play I-War, FF7PC, & BC3K! > Offical BC3K Tester. Linux! "The only way OUT is THROUGH." > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > dug: you da man! you da man! "Drew Vogel is its own reward." > ric: isn't "the man" the guy who's always bringing everyone down? > dug: nope! 'cause YOU da man!! Email: [EMAIL PROTECTED] > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- "Brian, the man from babble-on" [EMAIL PROTECTED] Brian T. Schellenberger http://www.babbleon.org Support http://www.eff.org. Support decss defendents. Support http://www.programming-freedom.org. Boycott amazon.com.
