[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] HELP! Have I been hacked??
- Subject: Re: [cobalt-users] HELP! Have I been hacked??
- From: Rik Thomas <rikt@xxxxxxxxxxxx>
- Date: Mon Feb 26 06:24:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Mon, 26 Feb 2001, Cobalt Newbie wrote:
>
> I have a bad feeling I've been hacked (on a RAQ3), and now strange things
> show up when I type ps -aux. I don't recall seeing anything like the
> following entries before, but I HAVE just installed the Bind updates, etc.
> Any chance these are normal entries? If not, what next? (scraping the
> machine and starting over may not be feasible, but...)?
>
> Here's what I'm worried about in the ps output:
>
> root 16825 80.7 0.2 1088 364 ? R N 12:48 22:40 ./pscan 60.119 53
> root 23754 0.0 0.3 1100 388 ? S N 04:50 0:00 tail -f bindname.log
>
Yes it appears you have been hacked. The really only proper way is to
try and detect where their files were placed and then backup data that
was uneffected. Then do a total wipe and reinstall from scratch then
restore your clean data. Hopefully you have a backup from the night
before or something. A link that has been helpful to us both from
recovering and preventing is from CERT.
http://www.cert.org/nav/recovering.html
Good luck.
--
Rik Thomas CTO rikt@xxxxxxxxxxxx | I must desire, not to be
Delaware.Net, Inc. http://www.delaware.net | what I am not, but to be
P:302.736.5515 F:302.736.5945 ICQ:879956 | very truly what I really
$20 Domains!!! http://register.delaware.net | am.