Dan,
Thank you so much! This helped tremendously! The good news
is, I've not only found thier IP address, traced them back to their ISP
(BEZEQINT.NET) and found that they did NOT do anything to the
system!! (aparently he's been using his telnet account since this past
weekend... VERY wierd... ) I've deleted the account, changed all the
passwords, and am working on the rest for security.
I have NO idea how they got in. I *DO* know that for a "hacker"
they are not very "good" (knock on wood) because 1) hackers generally don't
crash a system BEFORE they cover their tracks, and 2) they also generally
never return to the same place twice unless it is a personal
vendetta. This person's ISP was traced back to Isreal, and I don't know
anyone there, and I'm a very small WSP in Upstate NY, so I'm sure I haven't
gotten on anyone's bad side from there! LOL I have the log saved with his
IP's, and login times and dates for the last couple days.
Lastly, you mention using a secure telnet.... At the risk of
sounding stupid (I never admitted to being a Linux Guru! LOL) What can I
do to change the telnet type... I would like to make it more secure...
Maybe even limit it to certain IPs/domains... (if possible) If you (or
anyone) knows anything about this, it would be great to know! Thanks again
for everything!
Fred
At 12:43 AM 11/10/00 +1100, you wrote:
>Hi - I have a couple of quickie bits of advise for you...
>
>1) remove the machine from the network (pull the net / modem cable) so you
>can check exactly what has happened without him / them logging back in and
>screwing stuff up more / covering their tracks. don't bring the machine
>back up till you've done step 2 thoroughtly...
>
>2) go to http://www.auscert.org.au/ and check out teh "root compromise" or
>something similar (don't have acess to a web browser right now - but the
>info is there) documents... there's cimilar stuff at cert.org - but I know
>of the auscert stuff first hand...
>
>3) to check last logins and stuff type "last" and - well - it may have the
>details there - or the intruder may have deleted the logs that contain the
>login history... or may be they didn't get that far if they locked the
>server trying stuff out...
>
>4) find out what happened, document it, back up the whole system to a DAT
>if you have a chance, remove the tape and lock it, then wipe the HD and
>set up the server from scratch using the redhat install cds - then
>selectively restore stuff from the DAT that you know you need... it's best
>not tring to clean up after an intrusion as you can't really be sure what
>eth intruder has done - if they're really good at what they do and you're
>not super savvy then it's quite probable that it'll look like there's
>nothing wrong whatsoever with the machine... but they'll still be on the
>machine, hacking away! :(
>
>5) if you get a chance to find out who they are then do whatever you can
>to make sure they do it again - ranging from reporting them to the
>authorities and taking any action available to you to make their life as
>unpleasant as possible!
>
>hmm... this all brings back painful memories of server compromise by
>inexperienced script kiddies over a year ago resulting in large loss
>of data and time in recovering when I didn't really know much better
>(and didn't have a backup of the only stuff that happened to get
>wiped!) good luck & I hope there's nothing too critical on there / nothing
>lost....
>
>cheers, dan.
>
>ps. as to how did they get in - lack of errata updates / insecure services
>being run / non-encrypted telnet (always use ssh!) would be three guesses...
>
>On Thu, 9 Nov 2000, Fred Edmister wrote:
>
> > This morning I awoke to my Linux server not responding, and when
> I went to
> > the system itself, there were a bunch of PAM *** info lines on the screen
> > for a username I had never seen... I couldn't log in, and had to just
> power
> > down and do a manual fsck when it came back up... (bear with me, there
> is a
> > question here) Once the system came back up (after changing all the
> > passwords of course... ) there was a new user "shlomi" added to the
> > system, and in the home directory was a program directory, and the tar
> > file... (bnc2.6.2 bnc2.6.2.tar.gz) My questions are 1). What is
> > this BNC, and should I worry about what this guy may have done to my
> system
> > (everything seems to work fine, but I don't know if he did something
> > "behind the scenes") 2). How did this guy get in, and what can I do to
> > avoid these things from happening in the future (I noticed on the screen
> > when I got to the system one of the PAM's was him being su'd.. NOT
> > good) And Lastly, where is the log that holds the telnet info so I can
> > check and see EXACTLY what this guy did... Thank you all in advance for
> > you help! It is greatly appreciated!
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
