Found the following links http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg00652.html http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg01155.html http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg01149.html and there are even more articles on that site (Viel Glück) Clemens -----Ursprüngliche Nachricht----- Von: Josef Frohn [mailto:frohn@sis-gmbh.com] Gesendet am: Montag, 26. Juli 1999 16:12 An: suse-security@suse.com Betreff: [suse-security] Help: our system has been hacked...! Dear all, I am using Suse5.2 with the according security-patches from the Suse server. We have a valid IP, which means that our server is accessible from the Internet. The server acts as a gateway for a small company network. Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages: ---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 -------------------------- I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well. Besides that I can't see any further changes to the system. How did slovaka/r00t enter my system? How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id... I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole? Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?) Any hint is appreciated! Josef BTW: I am using a different system to write this email.... -- -- Dr. J. Frohn - S.I.S. GmbH email: frohn@sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275 -- --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com