I think our Linux machine was hacked. I checked the message log, and
found a mysterious RPC connection from 210.114.231.130, after that
all the telnet falied. We then saw a strange amd version in the reboot
message log and syslogd also could not start.
It seems that somebody changed the amd so that the date and time of
the changed binary keeps the same as before. Then the hacker replaced
a lot of binary codes in my machine, including ps, in.telnetd and ls. I compared
the binary code size of these binary codes and found this.
Now we have to recover the binary code with clean copies from the
other machine having same RH 6.0, and telnet works now. I also telneted
to 210.114.231.130. Surprisely, it gave me a prompt like 'Wingate>', after
I entered some host name, it then tried to connect me to that machine.
It seems that it can masquarade the hacker behind. Where is 210.114.231.130?
Any people for suggestion and comment? I still don't know how this guy
first access into our system. We have strict account adminstration. Where can
I find more about Linux security? Thanks in advance.
Shu
Kev wrote:
> > All my message logs are empty i.e messages, messages 1 - 4, secure and
> > boot logs. Why is this, they are normally full?
> >
> > Also If I try to telnet in and I should not be able to I get the
> > message: ( I turnerd it off)
> >
> > Red Hat Linux release 5.1 (Manhattan)
> > Kernel 2.0.34 on an i586
> > telnetd: /bin/ttysnoops: No such file or directory
> >
> > I'm sure that when I turned off the telnet facility and later checked
> > telnet hung as there was no active port for this. (that was correct)
> >
> > Also the file securetty has disappeared.(oh dear what's going on here)
>
> securetty doesn't disappear on its own; I'd say it's highly probable that
> you have had a cracker visit. You might want to investigate and try to
> figure out where they got in from; chances are it was cracked too, and the
> owners might appreciate having a note about it. As for recovery, you'll
> probably have to re-install; it's the only way to be sure.
> --
> Kevin L. Mitchell <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
