El mié, 23 de 04 de 2003 a las 14:32, Istvan Hollo escribió:
I'm afraid i have to reinstall the machine, but before i do it want to know what and how happened. If someone of you experienced with this and could give good advices about what to do and how i can analyse who logged it would be appreciated.
For backups of data and things like that you can boot with a CD and in maintenance mode copy things to another disk, or repair files that give you problems to backup what you have there comfortably. With that kind of access you could try to see what happened, but there are a lot of possibilities... now that you mentions Samba, in my LUG I am an user was hacked, and the main suspect is samba, he don't has it patched, and had no firewall, so the latest samba vulnerability could have been exploited (the intruder seems to have applied the patch to fix samba, and then installed backdoors and things like that... but left all logged in the /root/.bash_history). That kind of things could be what happened in your machine, but really clever guys don't left that kind of traces. But I think that the best is reformat/reinstall the machine, you can't be sure what have been changed in your disk. About your users, be careful in what you can backup and what not (i.e. passwords and mailboxes maybe yes, most dot files, scripts, shells, etc maybe not)