On 3/25/02 at 9:06 PM, Kory Krofft <[EMAIL PROTECTED]> wrote: > I am using RH 7.2. I found the problem. I have in fact > been hacked. I found a process "muhh" running from the > /var/run directory. I will have to reformat and rebuild > the game server. I would love to find out what the hacker > was using my machine for. Any suggestions on how to find > out? There were several subdirectorys and many files. I > have looked at the logs it used but it doesn't make any > sense to me.
If you suspect you are hacked, then you should suspect output from all system binaries, including ps, ls, netstat, ifconfig, and a blizzard of others. Best thing to do is to mount a CDROM or other writeonly medium with statically linked versions of these often compromised utilities and use those to scan the system for strange behavior. To provide the best ability for computer forensics, you should do: dd if=/dev/hda | gzip -c - | nc 10.1.1.1 2525 ...(/dev/hda is whatever your hard drive is) and on a remote machine (10.1.1.1) - presumably with LOTS of space... nc -l -p 2525 > hda.img.gz Do ALL hard drives this way, and you then can come back to the data any time you want. Also, check your other systems to make sure THEY haven't been compromised as well. When reinstalling, get ALL of the Red Hat 7.2 update packages - there are quite a LOT - almost 650M worth now! Use the updates to update your system - use: rpm -Fvh <xxxx> where <xxxx> is the package or packages you want to update. -Fvh options means that only those that are installed will be updated. Another thing: make sure you don't run anything you don't need: go through /etc/inetd.conf and remove everything that's unneeded. Do the same through the use of ntsysv or chkconfig. Then reboot. Hope this helps. -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
