Re: Help. Got Hacked.

From: Bill Unruh (unruh@physics.ubc.ca)
Date: 03/26/02 

From: unruh@physics.ubc.ca (Bill Unruh)
Date: 26 Mar 2002 18:59:52 GMT

In <1103_1017165474@news.ucdavis.edu> Alan Hopper <aahopper@ucdavis.edu> writes:

]I think my linux development server got hacked over the weekend. I came in today and the root password on the server doesn't work. I can login using a user account but the commands ps and netstat do not work. I get a message that /bin/netstat and
]/bin/ps are not found. They appear in the /bin directory but I can't even execute them with ./ps or ./netstat. Have I been hacked? (sure seems like it) And what is my next step? Can I do anything to figure out what has been done without root priveliges?
]I can reload the system, I have a backup of everything, but if there are any suggestions I would love to hear them?

) disconnect it from the net immediately to prevent the programs from
mailing yet more of you passwords to the cracker. Change your password
and anyone else using that machine on all the systems that they use.

Then clean up. Erase and reinstall the system. backup your home and
other user type directories. Search the backups for suid files
find / -perm +6000 -ls

Make sure that you install all the patches for your system (you forgot
didin't you) and automate that procedure so your system always remains
up to date with security patches.

Your cracker was incompetent. But that does not mean he cannot have done
damage.

Quantcast