If you care to track this individual down, you can take your system offline and go over the logs with a fine-toothed comb. If the attacker was experienced, he will have blown away /var/log/messages and /var/log/secure, but the thing most forget is .bash_history in the /root directory. That file is only updated AFTER the person logs out so deleting it before you log out is useless. If that file is still intact, you will know exactly everything your hacker did. Your best bet is to get another drive, reinstall and go about your business and really take the time to go through your other drive. With any luck you just may be able to find out who the individual was and where he/she came from. Then you get to pay them a visit with cousins Vinnie and Scheckie and Mister Baseball Bat. Before your next install I suggest you read up on SSH and TCP Wrappers to start. Then I recommend Psionic's Log Check and Port Sentry.. also Tripwire. These are all invaluable tools that are absolutely necessary for the security of your server(s) and for your piece of mind. Best of luck. Brandon Wheaton UNIX Systems Engineer ValiCert, Inc. 1215 Terra Bella Ave. Mountain View, CA 94043 650.567.5430 ---- Computers are useless; they can only provide answers. ~Pablo Picasso
Attachment:
smime.p7s
Description: S/MIME cryptographic signature