hello istvan, you can boot from your susecd in rescue-mode, mount your drives and now you should see what happend. cu mario
-----Original Message----- From: Istvan Hollo [mailto:istvan.hollo@ija.hu] Sent: Wednesday, April 23, 2003 7:32 PM To: suse-security@suse.com Subject: [suse-security] ver7.2 server was hacked - pls help
Hello Guru's,
On the weekend our web server (SuSE 7.2 kernel 2.4.4-4GB) was hacked by some very clever guys. They placed some programs which i can not remove anymore and which is even worse - the root's password also was changed (I can not start in single user mode - init 1 - password is wrong). A "sysadmin" user was created by the hacker and mtab also was changed.
When i try to login and type the username than Enter -> the "pasword" question is not coming but the screen is hanging. It means we can not log in anymore. Which is interesting, this is our mail server also and we can send/receive mails but via samba is not possible to connect to the shared drives.
I'm afraid i have to reinstall the machine, but before i do it want to know what and how happened. If someone of you experienced with this and could give good advices about what to do and how i can analyse who logged it would be appreciated.
TIA, istvan
Istvan HOLLO
GlobalTech Hungary Informatikai Kft. phone : +36 28 590 500 fax : +36 28 590 501 email : istvan.hollo@ija.hu www : www.thegt.com www.ija.hu