You all need to stop. The original poster needs to verify that this was not slocate or locate running `updatedb`, which in turn calls find, as a cronjob, run *as nobody*, every night. The original poster can do this by looking through his crontabs in /etc/cron*, or by posting what the find command actually was. This all was already suggested in previous mail.
If you do not find the updatedb cronjob, then a root kit checker like LiveCD is not a bad route to decide *if* you've been broken into, but if you decide you've been broken into or are just paranoid, you should reinstall everything from scratch and patch. This is the only way to know that you have removed a break in. Besides, any h4x0z worth his salts these days uses a kernel kit with process hiding (http://www.phrack.org/show.php?p=58&a=7 for my favorite), so you would never see them anyway. Question for the group: I've done a fair bit of research into rootkits (particularly suckit), how they work, etc. Is there interest in me doing a talk about it? I don't remember how much of the technical details I covered in my FBI talk. - Rob . On Mon, Dec 05, 2005 at 11:31:25AM -0500, Ritchie, Josiah S. wrote: > Don't believe for a second that nobody didn't have root privileges. It is > pretty trivial to give nobody full root privileges if you manage to get root > yourself. Use a LiveCD and scan your hard drive for changes using find and > the appropriate options to find modified dates in the period you know the > infection happened. Work your way back until you are comfortable that you > have found all the things the hacker changed. Consider Trojan versions of > ssh, rpm and just about anything. > > I'd recommend a LiveCD with a root kit checker. Run that also. > > There is a script on the web that looks for user nobody with passwords that > are rather mundane like "password". It could be they simply guessed the right > password if you had changed it at some point and forgot to return it. A > number of machines have reportedly experienced this sort of thing. > > In the end, your best bet is to check your data for modifications, backup > your data, re-install from scratch and add the data onto the re-install after > your sure it is clean. > > JSR/ > > ________________________________________ > From: UM Linux User's Group [mailto:[EMAIL PROTECTED] On Behalf Of Patrick > Curran > Sent: Saturday, December 03, 2005 10:26 AM > To: [email protected] > Subject: [UM-LINUX] I got hacked so what should I do now? > > my harddrive was doing a whole lot in the middle of the night so I checked > and saw the use "nobody" was running "find".? I was running an ssh server and > think that might be how they got in, so I shut that down, cos I dont really > need it.? I also switched off the port forwarding to the ssh port.? I have a > crappy wireless router from verizon.? I don't think i set up my logs > correctly cos I suck and couldn't really find much.? > > Are there some necessary things that I should change, im sure there are, but > I dunno what? > > And what can I do with the nobody account, it is my understanding that it > should have no rights to do anything.? I changed the password cos I figure > the person who got in set it to what he or she wanted...can I just delete the > account? > > Thanks for any input.? and yes one day i will stop being lazy and secure my > box. > > --Patrick -- - Rob .
