Re: info

From: W.G. Iyer (
Date: 05/04/02

Date: Fri, 3 May 2002 17:27:17 -0700 (PDT)
From: "W.G. Iyer" <>
To: "Joe T." <>,

> I would like some opinions, advice, or info on:
> - is there any way to view records? webmin has a
> 'last logon' option, but now that
> /var/log has been blown away, its not working
> right..

The nature of the attack, i.e. box is r00ted indicates
that you cannot trust any of the information
you find with any certainity. With that said, you can
check your /etc/syslog.conf file to see if there are
any log files in a directory other than /var/log. You
can also check services like Apache (httpd.conf) to
see if they logged to a directory other than /var/log.

> - any other recommendations? I'm pretty proficient
> in linux, but this is the first time
> ive ran into a hacked box. from my past reading, i
> know the steps are to try and recover
> any data not malformed and reinstall. any other
> pointers?

If your attacker was sloppy, you may find useful
information in the users history file, .bash_history,
especially those users with uid 0.

If the hacked machine was behind a packet filter, or
there is a sniffer on the line anywhere between the
hacked box and the net, that you have access to, you
can check those logs as well.

Best of luck,

Do You Yahoo!?
Yahoo! Health - your guide to health and wellness

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: