From: Godwin Stewart (bugtraqbonivet.net)
Date: Thu Jul 15 2004 - 03:40:56 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 14 Jul 2004 10:10:39 -0800, "Shay Wilson"
<Bryan_Wilsonlegis.state.ak.us> wrote:

> I'm a little confused. There have been several suggestions to wipe the
> box and I'm not disagreeing, but there was no sign of any successful
> hack. The cracker was given a shell by the administrator. He paid for it
> (with a stolen credit card).

Whether or not the cracker was given a shell account by the administrator or
s/he gained access through the back door, malevolent activity was taking
place on this box. It wasn't /attempted/ malevolent activity (like the
ongoing Nimda and CodeRed attacks which show up in your Apache logs - thank
you very much, Micro$oft - but don't actually do any harm), it was *real*
malevolent activity: downloading malware, then compiling it and running it.

You CANNOT TRUST the ~/.bash_history and logs on a machine on which this has
been taking place.

--
G. Stewart. - gstewartspamcop.net
Please to not reply to the From: address in this mail. Your message will
go straight to /dev/null with all the "no such address" and "idiot is on
vacation" messages generated by posting to this list.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]