Please Help !! My system got compromised

Hi,
I have a cable modem connection to Internet. My system is running RedHat 6.0. I have a 
home LAN setup so my linux gateway to the internet is configured as a masquerading 
gateway and also running as a web server and DNS (Primary and Caching only) server. 
I'm still working on the firewall (ipchains) but there is nothing in my 
/etc/inetd.conf.

After the compromise here is what happened:

1. The log tells me a user called "chaos" entered my system from some ISP in primus.ca.

May  6 10:57:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
May  6 11:21:05 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
May  6 11:28:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
May  6 11:32:07 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca

May  6 10:57:30 gator PAM_pwdb[4662]: (login) session opened for user chaos by (uid=0)
May  6 10:57:38 gator PAM_pwdb[4675]: (su) session opened for user own by 
chaos(uid=5001)
May  6 11:21:05 gator PAM_pwdb[4721]: (login) session opened for user chaos by (uid=0)
May  6 11:21:07 gator PAM_pwdb[4733]: (su) session opened for user own by 
chaos(uid=5001)

2. The following telnetd line was added to /etc/inetd.conf added.
telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd

3. Following accounts got added at the end of /etc/passwd

own:x:0:0::/root:/bin/bash
adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
chaos:x:5001:5001::/home/chaos:/bin/bash

4. I looked at /home/chaos directory, I saw the following files
-rwxrwxr-x   1 #chaos   #chaos      13672 May  6 15:21 m
-rw-rw-r--   1 root     root         1149 May  6 15:07 milk.c
-rwxrwxr-x   1 root     root        15818 May  6 15:13 s
-rw-rw-r--   1 root     root         6793 May  6 15:07 stream.c

5. I look at .bash_history for the chaos user I see:
su own
gcc -o m milk.c
./m 129.142.82.11 6000
su own
su own
./m
./m 24.114.4.13 7000

Now, my cablemodem ISP (Mediaone) has warmed me that they have recevied complaints 
about port scanning from my system and they will disable the service if this happens 
again!! 

Steps I've taken so far:

1. Upgraded bind to  named 8.2.2-P5 
2. Change root passwords
3. Removed all the accounts that the intruder created and again there is nothing in 
/etc/inetd.conf
4. Sent email to the originating ISP to take actions about the abuse.

I still can't figure out how the intruder entered my system??  Please advice me on 
what to do to make sure my system is secure.

Thanks in advance.
--Nehali



--== Sent via Deja.com http://www.deja.com/ ==--
Before you buy.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]