[ale] Comprimised System

Nick Travis wormfishin at gmail.com
Tue Jan 11 11:48:56 EST 2005


We have a system at work that has been comprimised.  It looks like
they got in and used several different executable files, I've got the
command history however I don't think it is complete.  For example I
see that direcotories were created, but I never saw that they were
removed and I can't find them.  It looks like about 5 ftp sites were
hit and there was about 3 wget commands to pull down files.  Also
apache was downloaded and installed, even though it was already
running on the system.  So here's my question, I know that rebuilding
the system is the only way to be sure that there is nothing else
hidden on it, but that's not an option at this point.  Are there any
good HowTo's or books out there that can give me some direction on how
to check they system for irregularites?  This is the first time I've
dealt with this so I would like to learn as much as I can about it,
I've already determined how they got in.  A user made thier password
the same as thier login name, which obviously is no longer allowed. 
BTW the system is running Red Hat 7.3.

Nick



More information about the Ale mailing list