Re: [K12OSN] I got hacked.........
David L. Parsley (parsley@roanoke.edu)
Tue, 09 Apr 2002 10:02:26 -0400
Michael,
'Best practices' dictates that your format and reinstall the box.
Backup important data and config files first, of course.
In my experience, trying to kick a hacker off a box once it has been
rooted is risky at best. I've done it _once_ successfully, and a couple
of times unsuccessfully. ;-)
Have fun.
regards,
David
Michael Cortes wrote:
> It would appear that someone used SSH to get into my system. I decided to
> install sshd and stop telnet'ing because of the security risk, as soon as I do
> it, someone got in.
>
> Anyhow, here is what I suspect so far:
>
> 1. when they got in, they created the user "cgi"
> 2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's
> .bash_profile. This casused root to not save the history so I couldn't see
> what was run as root.
> 3. logging is not happening. I have checked my log files and the last entries
> are about the time I first detected the break in.
>
> So my questions are:
>
> Did I do right by deleting the cgi user? Was this user necessary?
> How do I turn on logging back on? I have no idea where to look.
> What is a good/quick way to tell which users have no password set?
>
> Thank you,
>
>
>
>
> Michael Cortes
> Fort LeBoeuf School District
> 34 East 9th Street
> PO Box 810
> Waterford PA 16411-0810
> 814.796.4795
> Fax1 814.796.3358
> Fax2 978-389-1258
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN@redhat.com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see
--
David L. Parsley
Network Administrator, Roanoke College
"If I have seen further it is by standing on ye shoulders of Giants."
--Isaac Newton
_______________________________________________
K12OSN mailing list
K12OSN@redhat.com
https://listman.redhat.com/mailman/listinfo/k12osn
For more info see