[Wolves] Hacking attempt - what next

Alex Willmer alex at moreati.org.uk
Fri Dec 5 11:37:28 UTC 2008

On Fri, 2008-12-05 at 11:16 +0000, Wayne wrote:
> Hi Guys,
> I left the port for ssh open on my router for only siz hours while I
> did some work from home  (first time I've done it in three years)
> and logs show that some Russian signed in to a user account and may or
> may not have downloaded some stuff.

It is inconvenient, but I suggest you must consider that machine
compromised. You cannot be sure of what this russian did, so you must
assume he put in any number of back doors and root kits. 

Don't try to clean it, a long painful game of whack-a-mole & doubt lies
that way. Boot it with a known-clean live cd. Retrieve any data or
configuration files. Then reinstall the entire machine.

There also may have been a key-logger running, so change all passwords
that could have been revealed.



More information about the Wolves mailing list