Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tlug: The aftermath of having one's server hacked.
- To: tlug@example.com
- Subject: Re: tlug: The aftermath of having one's server hacked.
- From: Scott Stone <sstone@example.com>
- Date: Tue, 26 Jan 1999 19:14:42 -0700 (MST)
- Content-Type: TEXT/PLAIN; charset=US-ASCII
- In-Reply-To: <1294719343-74701174@example.com>
- Reply-To: tlug@example.com
- Sender: owner-tlug@example.com
On Wed, 27 Jan 1999, Dave Gutteridge wrote: > I finally got to sit in front of my server machine last night and see what > damage was done - some of you may have seen my posting before telling the > tale that someone had hacked into my system and was trying to use my server > machine as a starting point to hacking into machines in Germany. > What this bastard (forgive the language, but i think you can understand my > anger) has done is: > 1. Change my root password. This makes it difficult to do any repairs. If > anyone has a suggestion as to how i might reclaim superuser status, please > inform me. At least I can still get access to the file system with my 'linux single' at the lilo prompt. Drops straight to a root shell. > personal user account. I might be able to get more information on the > hacker as superuser, because right now some of the log files are denied to me. > 2. Rewritten hosts.deny to include ALL:ALL, and also, more interesting, has > rewritten hosts.allow to include the following addresses: > ALL:puskin-a67.sote.hu > ALL:147.46.116.72 > ALL:dick.eng.isas.ac.jp > I think that it's likely - if not obvious - that the hacker was coming in > from one or all of those addresses. If someone can tell me how I might turn > these addresses around into some e-mail addresses so i can inform them that > someone at thier site has been abusing their system, then that would also > be greatly appreciated. whenever I find an ip addr in my kernel log that was trying some kind of exploit, I try nslookup on it and on other IPs in its subnet. Once I have the domain, I do a whois to get the technical contact for the domain, and I email them. In this case, though, I'm sure that postmaster@example.com would be interested in hearing about this. -------------------------------------------------- Scott M. Stone <sstone@example.com> Head of TurboLinux English / Systems Administrator Pacific HiTech, Inc. (http://www.turbolinux.com) ------------------------------------------------------------------- Next Technical Meeting: February 13 (Sat), 12:30 place: Temple Univ. ** presentation: XEmacs, by Steven Baur and Martin Buchholz Next Nomikai: March 19 (Fri), 19:30 Tengu TokyoEkiMae 03-3275-3691 ------------------------------------------------------------------- more info: http://tlug.linux.or.jp Sponsor: PHT
- References:
- tlug: The aftermath of having one's server hacked.
- From: Dave Gutteridge <dave@example.com>
- tlug: The aftermath of having one's server hacked.
- Prev by Date: Re: tlug: The aftermath of having one's server hacked.
- Next by Date: Re: tlug: Re: Test messages: Where's good?
- Prev by thread: Re: tlug: The aftermath of having one's server hacked.
- Next by thread: tlug: dump botch message
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |