tlug: The aftermath of having one's server hacked.

[Dave Gutteridge <dave@example.com>]

I finally got to sit in front of my server machine last night and see what
damage was done - some of you may have seen my posting before telling the
tale that someone had hacked into my system and was trying to use my server
machine as a starting point to hacking into machines in Germany.
What this bastard (forgive the language, but i think you can understand my
anger) has done is:
1. Change my root password. This makes it difficult to do any repairs. If
anyone has a suggestion as to how i might reclaim superuser status, please
inform me. At least I can still get access to the file system with my
personal user account. I might be able to get more information on the
hacker as superuser, because right now some of the log files are denied to me.
2. Rewritten hosts.deny to include ALL:ALL, and also, more interesting, has
rewritten hosts.allow to include the following addresses:
ALL:puskin-a67.sote.hu
ALL:147.46.116.72
ALL:dick.eng.isas.ac.jp
I think that it's likely - if not obvious - that the hacker was coming in
from one or all of those addresses. If someone can tell me how I might turn
these addresses around into some e-mail addresses so i can inform them that
someone at thier site has been abusing their system, then that would also
be greatly appreciated. 

-------------------------------------------------------------------
Next Technical Meeting: February 13 (Sat), 12:30 place: Temple Univ.
** presentation: XEmacs, by Steven Baur and Martin Buchholz
Next Nomikai: March 19 (Fri), 19:30   Tengu TokyoEkiMae 03-3275-3691
-------------------------------------------------------------------
more info: http://tlug.linux.or.jp                     Sponsor: PHT