Re: Looks Like A Cracker Has Been In

[ayako kato <ayakat@example.com>]

On Sun, May 27, 2001 at 08:16:16AM +0900, Dennis McMurchy wrote:

>   All this would be happening, of course, at one of the rare times when
> I don't have a complete backup of my system.  Other than immediately
> changing my ISP passwords, what else should I be doing?

if i were you, i would:

0. bring the system offline 
1. take a dump of the compromised system, for later examination
   (or simply swap out the disks)
2. re-install clean, and read the security guidelines that 
   the vendor provides. apply recommended patches. disable all the 
   services that's not needed. for any of the services that need 
   to run, ensure that they're up-to-date, patched, and configured 
   properly.
3. create a tripwire database of the system and save it on a 
   read-only media.
4. bring the system back online and keep an eye out for security 
   alerts. (perhaps start with maillists like bugtraq)
5. perhaps report the incident to cert (jpcert?)

luckily i haven't had to do any of this so far... good luck ..

useful/interesting reading:

http://www.enteract.com/~lspitz/linux.html
http://www.rootprompt.org/article.php3?article=403
http://project.honeynet.org/

regards,
ak