Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
RE: [suse-security] Incident
  • From: Stefan Suurmeijer <stefan@xxxxxxxxxxxx>
  • Date: Thu, 8 Feb 2001 11:53:06 +0100 (CET)
  • Message-id: <Pine.LNX.4.30.0102081138150.30457-100000@xxxxxxxxxxxxxxxxxxxx>
On Thu, 8 Feb 2001, Markus Gaugusch wrote:

> On Thu, 8 Feb 2001, Raffy wrote:
> > This is a dialin. The one above which still has a
> > connection open is one as well. (probably the same guy).
> contact the provider of this guy.
> > Is there a trojan listening in my system? Could I find it somehow? I have
> > backups of /bin/ps and /bin/ls but they seem to be the same!
> put the machine off the net, backup hard disk and re-install. There is
> no other way.
> (and maybe sue the attacker if you can get him)

DON'T!! re-install until you have tried every avenue to try and find out
how he got in, or you might end up spending days configuring your machine
again, in exactly the same way and have him walk right back in after that.
I just posted the CERT adresses dealing with this in response to another
mail, but take a look at
Unplug the box from the internet, and connect it to a safe machine. Use
that one to portscan etc. Preferably a linux machine with the same
OS/Version that you're sure has not been compromised. Put versions of
every binary you want to use on a floppy or something using binaries from
the clean machine, because if this guy placed a root kit on your system
you can't trust anything anymore. If you want to check if binaries
were replaced, compare MD5 sums with known correct binaries. Once you're
pretty certain you've found the way he got in, THEN reinstall (don't try to clean
up, you can't be sure you got everything). Judging from your logs it looks
like he attacked you through ssh. Are you running an older (i.e.
vulnerable) version of openssh for example? That's how a host in our net
was recently cracked.

> Markus
> --

good luck,


< Previous Next >
Follow Ups