[Wolves] help - think I've been hacked

Equ1n0x wolves at mailman.lug.org.uk
Thu Jul 17 11:43:00 2003 

Hi Jayne.

Just got some bits from a server reference, may be of help.

---

Use chkrootkit.

ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

(#Change to root
su -
#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz
#Change to the directory it created
cd chkrootkit*
#Compile by typing
make sense
#To use chkrootkit, just type the command
./chkrootkit
#Everything it outputs should be 'not found' or 'not infected'...
#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz )

---

+ Locating Fingerprints +

Each of these users may have left behind records of their doings, these
histories will GREATLY aid you in determining what has been done to your
system. In my case, the hackers did not pass elementary school - and left
behind records of all of their modifications. Let's take a look:

find '/' -iname .bash_history

+ Search and Destroy +

Your next step here is to find suspicious shell users and groups. We will
scan through three files. But before we continue, PLEASE do NOT deleted
(we're using less to view them, but we may have to vi them later) anything
out of these files without confirming they are indeed not supposed to be
there. There are some users that look funky, but they are supposed to be
there. That said, let's continue (as root):

less /etc/passwd

The first column represents users on the system. In my case, the hackers
created a few users: ADM1N, mysqi, vgodz, and noone. I'd recommend not
deleted anything out of these files without asking people here on the forum
if they also exist on their box.

Next:

less /etc/shadow

Looks similar to /etc/passwd. Again, look for suspicious users.

Next:

less /etc/groups

---

The full post is @
http://forum.rackshack.net/showthread.php?s=&threadid=13172 if you want to
look further into this approach.

-- Patrick


This email is for the intended recipient only; it should be treated as
exclusively confidential and should not be disclosed for any reason. If you
receive this email by mistake do not disclose it in all or in part in any
form. Please inform admin@principalhosting.net. Reproduction of this
document in any way, shape, or form is prohibited.

Principal Hosting LTD. - http://www.principalhosting.net
We Make Server Management Easy! - http://www.ezsm.com

----- Original Message -----
From: Jayne Heger
To: wolves@mailman.lug.org.uk
Sent: Thursday, July 17, 2003 10:17 AM
Subject: [Wolves] help - think I've been hacked



well, the subject line says it all.
But how do I determine this to be true, what steps should I take to make
100% sure I have been hacked, what should I check etc....
to be honest I'm a bit panicky and can't think straight ATM.

If anyone can help me I'd be grateful ;)

Jayne



_______________________________________________
Wolves mailing list
Wolves@mailman.lug.org.uk
http://mailman.lug.org.uk/mailman/listinfo/wolves

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

Email service provided by Principal Hosting LTD.
http://www.principalhosting.net


--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

Email service provided by Principal Hosting LTD.
http://www.principalhosting.net