Don't believe for a second that nobody didn't have root privileges. It is pretty trivial to give nobody full root privileges if you manage to get root yourself. Use a LiveCD and scan your hard drive for changes using find and the appropriate options to find modified dates in the period you know the infection happened. Work your way back until you are comfortable that you have found all the things the hacker changed. Consider Trojan versions of ssh, rpm and just about anything.
I'd recommend a LiveCD with a root kit checker. Run that also. There is a script on the web that looks for user nobody with passwords that are rather mundane like "password". It could be they simply guessed the right password if you had changed it at some point and forgot to return it. A number of machines have reportedly experienced this sort of thing. In the end, your best bet is to check your data for modifications, backup your data, re-install from scratch and add the data onto the re-install after your sure it is clean. JSR/ ________________________________________ From: UM Linux User's Group [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Curran Sent: Saturday, December 03, 2005 10:26 AM To: [email protected] Subject: [UM-LINUX] I got hacked so what should I do now? my harddrive was doing a whole lot in the middle of the night so I checked and saw the use "nobody" was running "find". I was running an ssh server and think that might be how they got in, so I shut that down, cos I dont really need it. I also switched off the port forwarding to the ssh port. I have a crappy wireless router from verizon. I don't think i set up my logs correctly cos I suck and couldn't really find much. Are there some necessary things that I should change, im sure there are, but I dunno what? And what can I do with the nobody account, it is my understanding that it should have no rights to do anything. I changed the password cos I figure the person who got in set it to what he or she wanted...can I just delete the account? Thanks for any input. and yes one day i will stop being lazy and secure my box. --Patrick
