Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Visited by a cracker
From: Godwin Stewart (bugtraqbonivet.net)
Date: Thu Jul 15 2004 - 03:40:56 CDT
On Wed, 14 Jul 2004 10:10:39 -0800, "Shay Wilson"
> I'm a little confused. There have been several suggestions to wipe the
> box and I'm not disagreeing, but there was no sign of any successful
> hack. The cracker was given a shell by the administrator. He paid for it
> (with a stolen credit card).
Whether or not the cracker was given a shell account by the administrator or
s/he gained access through the back door, malevolent activity was taking
place on this box. It wasn't /attempted/ malevolent activity (like the
ongoing Nimda and CodeRed attacks which show up in your Apache logs - thank
you very much, Micro$oft - but don't actually do any harm), it was *real*
malevolent activity: downloading malware, then compiling it and running it.
You CANNOT TRUST the ~/.bash_history and logs on a machine on which this has
been taking place.
G. Stewart. - gstewartspamcop.net
Please to not reply to the From: address in this mail. Your message will
go straight to /dev/null with all the "no such address" and "idiot is on
vacation" messages generated by posting to this list.