Re: Removing hacker's file
From: Nico Kadel-Garcia (nkadel_at_verizon.net)
Date: 06/05/03
- Next message: Mhoram: "Security question regarding directory and file permissions"
- Previous message: Ted: "router/firewal (iptables) and lamp server in the same machine?"
- In reply to: Doug Laidlaw: "Re: Removing hacker's file"
- Next in thread: Doug Laidlaw: "Re: Removing hacker's file"
- Reply: Doug Laidlaw: "Re: Removing hacker's file"
- Reply: Doug Laidlaw: "Re: Removing hacker's file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 05 Jun 2003 13:26:10 GMT
Doug Laidlaw wrote:
> unruh@string.physics.ubc.ca (Bill Unruh) wrote in message news:<bbm3el$8pr$1@nntp.itservices.ubc.ca>...
>
>>Doug Laidlaw <laidlaws@myaccess.com.au> writes:
>>
>>]A hacker has put what looks like a data file in my /dev/cpu. It is shown as
>>]owned by root, but root can't delete or edit it, only change its
>>]permissions. I know that I need to reinstall, but would like to make life
>>]difficult for the hacker until I am able. I have changed its permissions
>>]to 000, but I know that the change won't stop him. How can I delete this
>>]file?
>>
>>man lsattr
>>man chattr
>>See the immutable flag.
>>
>>But reinstall and get up to date with the security updates.
>>Note they have root on your machine, and thus they may well know your
>>root password, and can use your machine to attack other machines ( you
>>getting blamed in the process)
>
>
> Thanks Bill. Gee, you do a lot on the newsgroups.
>
> I reinstalled the OS, formatting the partition in the process. I then
> set up the Mandrake Shorewall firewall, and on its default settings, I
> couldn't get out, but he got back in and put the mtrr file back. I
> could see his attacks in /var/log/secure. Since then, I have
> downloaded a config for Shorewall for one machine, which lets me out
> and (theoretically) doesn't let anyone in, but it doesn't seem to
> worry him. Looks as though I need a fresh install of Linux *AND*
> Windows 98. He had copied my Windows drive as seen by /mnt/windows to
> a /mnt/windows directory on my Windows partition. Sounds as though
> all he wants to do is harrass me, but I can't take the risk. What do
> I do to keep him out?
>
> I am sending this from Windows, but Windows may be compromised too?
Looks like this weasel has some tools in his hands, and is persistent.
It's probably time to call the cops, call his incoming IP address
provider, and call his mommy to spank his hands.
And I suspect he's using a realitively new hole in some service you're
running and exposing to the Net. (Such as HTTP running a weak CGI script
from somewhere else, a sendmail weakness, your FTP server, a set of
usernames and passwords he's stolen from elsewhere, etc.)
Turn off *EVERYTHING* in the short term, turn off all your services,
re-install, change all your passwords, and start from scratch. You might
also benefit strongly from running tripwire from a read-only database of
your core files: I really highly recommend CD-R's for this, since you
can chroot to the CD-RPM itself and run static binaries from there to
access your real drive's files.
- Next message: Mhoram: "Security question regarding directory and file permissions"
- Previous message: Ted: "router/firewal (iptables) and lamp server in the same machine?"
- In reply to: Doug Laidlaw: "Re: Removing hacker's file"
- Next in thread: Doug Laidlaw: "Re: Removing hacker's file"
- Reply: Doug Laidlaw: "Re: Removing hacker's file"
- Reply: Doug Laidlaw: "Re: Removing hacker's file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
