On Thu, 8 Feb 2001, Markus Gaugusch wrote:
This 213.3.142.43 is a bluewin.ch dialin. The one above which still has a connection open is one as well. (probably the same guy). contact the provider of this guy. Is there a trojan listening in my system? Could I find it somehow? I have backups of /bin/ps and /bin/ls but they seem to be the same!
On Thu, 8 Feb 2001, Raffy wrote: put the machine off the net, backup hard disk and re-install. There is no other way. (and maybe sue the attacker if you can get him)
DON'T!! re-install until you have tried every avenue to try and find out how he got in, or you might end up spending days configuring your machine again, in exactly the same way and have him walk right back in after that. I just posted the CERT adresses dealing with this in response to another mail, but take a look at www.cert.org/tech_tips/root_compromise.html. Unplug the box from the internet, and connect it to a safe machine. Use that one to portscan etc. Preferably a linux machine with the same OS/Version that you're sure has not been compromised. Put versions of every binary you want to use on a floppy or something using binaries from the clean machine, because if this guy placed a root kit on your system you can't trust anything anymore. If you want to check if binaries were replaced, compare MD5 sums with known correct binaries. Once you're pretty certain you've found the way he got in, THEN reinstall (don't try to clean up, you can't be sure you got everything). Judging from your logs it looks like he attacked you through ssh. Are you running an older (i.e. vulnerable) version of openssh for example? That's how a host in our net was recently cracked.
Markus --
good luck, Stefan