[ale] Compromised System
Nick Travis
wormfishin at gmail.com
Tue Jan 11 11:50:14 EST 2005
We have a system at work that has been compromised. It looks like
they got in and used several different executable files, I've got the
command history however I don't think it is complete. For example I
see that directories were created, but I never saw that they were
removed and I can't find them. It looks like about 5 ftp sites were
hit and there was about 3 wget commands to pull down files. Also
apache was downloaded and installed, even though it was already
running on the system. So here's my question, I know that rebuilding
the system is the only way to be sure that there is nothing else
hidden on it, but that's not an option at this point. Are there any
good HowTo's or books out there that can give me some direction on how
to check they system for irregularities? This is the first time I've
dealt with this so I would like to learn as much as I can about it,
I've already determined how they got in. A user made their password
the same as their login name, which obviously is no longer allowed.
BTW the system is running Red Hat 7.3.
Nick
More information about the Ale
mailing list