On Thu, 6 Sep 2001 12:05:07 +0200 (CEST) Max Lindner wrote:

Hi out there... I've got a big problem... A few folders disappeared from my samba-dir (unfortunately they where the importantest i ever had :( ).

Well that's not the real problem. After this I've checked /var/log/messages and got the following:

Sep 5 22:18:21 monika sshd[2616]: Did not receive ident string from 62.225.211.70. Sep 5 22:18:23 monika sshd[2623]: Did not receive ident string from 62.225.211.70. Sep 5 22:18:26 monika in.ftpd[2615]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika in.telnetd[2617]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika in.fingerd[2618]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika popper[2619]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:26 monika popper[2619]: error: cannot execute /usr/sbin/popper: No such file or directory Sep 5 22:18:26 monika fingerd[2618]: getpeername: Transport endpoint is not connected Sep 5 22:18:26 monika ftpd[2615]: getpeername (in.ftpd): Transport endpoint is not connected Sep 5 22:18:31 monika in.ftpd[2622]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:33 monika in.telnetd[2624]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:34 monika telnetd[2624]: ttloop: peer died: EOF Sep 5 22:18:36 monika in.fingerd[2625]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:38 monika popper[2626]: connect from 62.225.211.70 (62.225.211.70) Sep 5 22:18:38 monika popper[2626]: error: cannot execute /usr/sbin/popper: No such file or directory

When I'm not wrong, this says that someone was very interested about my router.

That is what a standard tcp portscan will look like in logs..

Unfortunately there wasn't any firewall and no good protection (what was I stupid...)

I also looks like pop3 was misconfigured :-(

How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl?

Thanks for any help!

Max

--- I'm securing my system now...

You might want to check out http://www.susesecurity.com/faq/ If you think your system has been compromised, and you are not 100% sure you know more than every hacker out there you should rebuild your machine from clean media (CD/DVD) I would give that box up as a lesson, and learn how to configure a new one securely. Have a read through the FAQ, then post again with anymore questions you may have. We will help you. -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com

Max Lindner wrote:

How can I see if he got in my system and deleted my folders? Can you say me, what signs indicate that he is already in my router. Is there a way to hide a programm from ps -axl?

Every rootkit will hide the cracker's activities - you can't trust ps, ls, top and others on your system any longer. If you want to detect a rootkit, try http://www.chkrootkit.org/ HTH Martin -- martin.peikert@innominate.com if you want to send mail to me, please encrypt - key info: http://blackhole.pca.dfn.de:11371/pks/lookup?op=index&search=0x7FF37EA8 key fingerprint: ABF9 ADC3 B761 5386 7F15 9C31 C2D0 844B 7FF3 7EA8