Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Apr 2004 10:23:50 -0400
From:      Clint Gilders <>
To:        Remko Lodder <>,
Subject:   Re: have i been hacked?
Message-ID:  <>
In-Reply-To: <>
References:  <000001c421de$6c67ba10$0200a8c0@satellite> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

>> I had someone get into one of my machines when I stupidly left telnet 
>> running and an email from the system much like yours was what first 
>> alerted me to it.   The kiddie had installed a new ls which didn't 
>> allow any switches.  I imagine '-l' is needed for the suid check, so 
>> it fails and reports all the files as changing.   I ran chkrootkit and 
>> it turned up nothing.   The kiddie had also replaced several other 
>> programs (login and ps were among them) and turned off syslog.    I'm 
>> lucky to have several other systems, so i was able to copy over known 
>> original versions of the system tools that were changed and get the 
>> machine secured before moving all the accounts and reinstalling.
> Bad move, backup important data and reinstall your host, you cannot tell 
> which applications are affected or not (just spotted the obvious ones).
> If you intend to keep it running, well thats a security incident imho.
> Please consider it.

I think you misread my message.  Did "moving all the accounts and 
reinstalling"  imply that I didn't do a reinstall?  I simply copied over 
known original programs so I could make my backup and do some postmortem 
before reinstalling the system.   As you say, who knows what other 
program were changed.  I wanted to use known good binaries.

Clint Gilders <>
Director of Technology Services, Inc.

Want to link to this message? Use this URL: <>