On 30 May 2003, at 6:29pm, [EMAIL PROTECTED] wrote:
> I did that and found in /var/log/secure:
>
> Accepted password from news from 212.66.37.242 port 3112 ssh2
Urk. Yeah, unless you're in the habbit of shelling in as user account
"news" from Austria, that is a pretty sure sign you've been compromised.
At this point, best practice for speedy recovery is:
1. Immediately shut down the system
2. Remove disks
3. Install disks as "secondary disks" in another, known-good system
4. Copy any important data off (or copy everything, if you want to
do forensic analysis later)
5. Wipe disks clean
6. Put disks back in original system
7. Re-install from scratch
8. After checking files from step #4 above for evidence of tampering,
copy them back to the system.
Good luck!
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
_______________________________________________
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
