Mailinglist Archive: opensuse (3666 mails)

< Previous Next >
Re: [SLE] My server got hacked? Anyoen seem this?
  • From: Adalberto Castelo <castelo@xxxxxxxxxxx>
  • Date: Fri, 11 Mar 2005 19:47:26 -0500
  • Message-id: <200503111947.36522.castelo@xxxxxxxxxxx>
On Friday 11 March 2005 01:57, Henry Tang wrote:
> What i need to know now is what else can i do to find how this person
> hacked into my system. I checked message logs and mail logs and i found
> the date and time the email was sent out, but I dunno if the log files
> got cleaned or not. What other logs can i look into?
>
> henry
>

I feel for you. Not being able to tell if you have been hacked, or how badly,
well, it really sucks. Some simple advice that may or may not be useful to
you:

First, try the suse-security list; you're more likely to get useful help
there, in this topic.

Second, I hope you're emailing from some other machine, and the suspicious one
is offline. That is key. Get yourself a live cd (something up to date, less
likely to have vulnerabilities, e.g., knoppix or something like it). Only
then you can go back online. Do all your forensics using the live cd, you
can't trust any binaries on your box anymore. Finally, even if you can't find
any traces of hacking, reinstall the system from scratch anyway. Just in
case.

Well, that's all I've got. Good luck!
< Previous Next >