Date: Fri, 3 Aug 2001 08:21:50 -0700 From: Erin Fortenberry <efortenb@sdccd.cc.ca.us> To: "'Keith Spencer'" <bsd2000au@yahoo.com.au>, fbsd <freebsd-questions@FreeBSD.ORG> Subject: RE: How can I tell I have been hacked? Message-ID: <BBDEEDD2EB67D311A0240008C74B9345129C5B@ntxmidcity.sdccd.cc.ca.us>
next in thread | raw e-mail | index | archive | help
> From: Keith Spencer [mailto:bsd2000au@yahoo.com.au] > Hi all, > Some mob contacted me and said I had been hacked by a > group called Pakistan Cyber Warriors. > Heard of them? Nope. More then likely they are just a bunch of kids playing around. > They say my site had a page place on it yesterday > short term! Yah.. right, and I have a bride to sell you. > How can I tell? This will depend on how good they are. I would look at users home directorys. Look for directories that you know should not be there like .ssh and .profile. .ssh should be a directory, but look inside of it, it should contain only a known_hosts file. Alot of what some of the script kiddies will do it to put an irc bot on a machine for later use, they hind them in directories that look like files, such as .profile or .cshrc. Also look st your daily logs for password changes and or new users. Also look for changed file in these logs. A good cracker will be able to hid these things from you, but an amature script kiddie will not always know what to do. > Any ideas? Take them at their word, I doubt they would lie about something like that. > What should I do? Close telnet ftp etc etc.? You have telnet open? This is bad. Go to http://www.cert.org and get on their newletter about security issues. While you are at it look at http://www.cert.org/advisories/CA-2001-21.html If you are the administrator of a server like this you need to be on top of these things or they will come back and bite you in the butt. > What is port 587 Submission? I believe that is sendmail, if you telnet to it how does it reply back to you? > How can I trace a backdoor on my machine? Reinstall. Do not use telnet, try openssh. Setup sone kind of intrusion detection. Learn about firewalls. > So many questions. > Hoping for help I know how you feel, I have been there many times. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BBDEEDD2EB67D311A0240008C74B9345129C5B>