Re: glotz???

From: lynx (noone@nowhere.antispam.net)
Date: 12/17/01 

From: lynx <noone@nowhere.antispam.net>
Date: Sun, 16 Dec 2001 19:28:56 -0500

"penguin" <penguin@cox-internet.com>, in
<u1qd0reed26528@corp.supernews.com>:

> i need some help getting rid of some virus/worm/trojan that has grabbed
> some root priviledges and stolen some of my root privilidges!!

you need to clean up your system? oh, that's easy:

 - unplug all network connections to it NOW.
 - back up whatever personal data on it you might want to save.
 - reformat, reinstall, restore from backups.
 - lockdown and harden the system; disable unneeded services,
   minimum privileges on everything, password and/or crypto
   protection, that sort of thing. consider running bastille.
 - put in a minimally simple firewall. by "minimally simple" i
   mean "it blocks everything, and now nothing will go!"
 - update your box with *all* the distro's updates until it's
   entirely current. yes, even those dozen-megabyte glibc ones.
   you'll have to poke a few holes in that firewall to make this
   go; make a point to keep them as few and as small as possible.
 - shut down networking again after that point.
 - go through the whole box again to see that the updates didn't
   change something important - watch those .rpmsaved files.
   make sure there's nothing running or listening that you don't
   *know* you need. if you disable something and something else
   breaks, find out *why* the second thing needed the first.
 - then go over your firewall again. make sure you *understand*
   what it's doing and why.
 - consider installing some form of IDS (AIDE, snort) at this
   point.
 - and only after all that, think about possibly maybe putting
   the thing back up online. NOT BEFORE.

sounds like a lot of work? it is. that's why people scream and cuss at
the skr1pt k1dd13s so much. there's not really very much up there you can
take lightly, though; your machine really can't be trusted until you've
gone down that list. have at it, no point waiting any longer.

[...]
> I NEED HELP PLEASE

from the description i snipped, you have certainly been hacked. go down
that list i outlined. start now. 

-- 
   PGP/GnuPG key (ID 1024D/07A530D6) available from keyservers everywhere
    Key fingerprint = B5A8 62AD 8263 5415 7C3C  9245 50A7 FD59 07A5 30D6
                             "...life goes on
                  long after the thrill of living is gone..."