Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tlug: The aftermath of having one's server hacked.



On Wed, 27 Jan 1999, Dave Gutteridge wrote:

> I finally got to sit in front of my server machine last night and see what
> damage was done - some of you may have seen my posting before telling the
> tale that someone had hacked into my system and was trying to use my server
> machine as a starting point to hacking into machines in Germany.
> What this bastard (forgive the language, but i think you can understand my
> anger) has done is:
> 1. Change my root password. This makes it difficult to do any repairs. If
> anyone has a suggestion as to how i might reclaim superuser status, please
> inform me. At least I can still get access to the file system with my

'linux single' at the lilo prompt.  Drops straight to a root shell.

> personal user account. I might be able to get more information on the
> hacker as superuser, because right now some of the log files are denied to me.
> 2. Rewritten hosts.deny to include ALL:ALL, and also, more interesting, has
> rewritten hosts.allow to include the following addresses:
> ALL:puskin-a67.sote.hu
> ALL:147.46.116.72
> ALL:dick.eng.isas.ac.jp
> I think that it's likely - if not obvious - that the hacker was coming in
> from one or all of those addresses. If someone can tell me how I might turn
> these addresses around into some e-mail addresses so i can inform them that
> someone at thier site has been abusing their system, then that would also
> be greatly appreciated. 

whenever I find an ip addr in my kernel log that was trying some kind of
exploit, I try nslookup on it and on other IPs in its subnet.  Once I have
the domain, I do a whois to get the technical contact for the domain, and
I email them.  

In this case, though, I'm sure that postmaster@example.com would be
interested in hearing about this.

--------------------------------------------------
Scott M. Stone <sstone@example.com>
Head of TurboLinux English / Systems Administrator
Pacific HiTech, Inc. (http://www.turbolinux.com)


-------------------------------------------------------------------
Next Technical Meeting: February 13 (Sat), 12:30 place: Temple Univ.
** presentation: XEmacs, by Steven Baur and Martin Buchholz
Next Nomikai: March 19 (Fri), 19:30   Tengu TokyoEkiMae 03-3275-3691
-------------------------------------------------------------------
more info: http://tlug.linux.or.jp                     Sponsor: PHT


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links