Re: Compromised user account, consequences?
From: Thorsten Küfer (thorsten.kuefer_at_uni-muenster.de)
Date: Wed, 12 Jan 2005 09:11:25 +0100
Gandalf Parker wrote:
> Thorsten Küfer <firstname.lastname@example.org> wrote in
>>What harm could arise from this break in? He didn't get root rights as
>>it seems. Is it sufficient to change the password?
> Thats usually good if you keep an eye on things. Alot can be done without
> root but the bit of history you provided didnt seem to do it. The bot is
> probabaly an IRC bot which would display a banner showing that he has
> "owned" the box and can trade it for others.
The two downloaded and executed packages were EnergyMech and a helper for
staying on IRC after logout. EnergyMech was started as ./klogd to hide it.
A few commands left out showed some typos, so it seems that the hacker
wasn't a linux guru.
> I would definetly get and run chkrootkit. If it shows that programs such as
> ls, ps, find have been comrpomised then I can tell you how to find the
> "hide these" files. Leaving the compromised ones in place is actually more
> hardened than starting over.
I got chkrootkit and it didn't find anything.
I updated OpenSSL & OpenSSH to the newest versions and changed to public key