On Sun, 2005-04-03 at 08:19, Arthur Pemberton wrote: > Scot L. Harris wrote: > > > > >Bare metal re-install is the only real thing to do. I hope you had > >backups of your important data from a time before the suspected root kit > >was installed. > > > >Any idea on how they got in? phpnuke on the system? > > > > > > > I downloading Knoppix now so I can recover my maildirs. Most other stuff > should be up-to-date enough from my last install. I can't be 100% sure > that I was not comprised since my last backup. But I only really backup > text files (configs, mail, webpages, scripts, sql dumps). I don't think > I had phpnuke installed. I had PhpBB installed. But I disabled it since > I heard of the security prob in it awhile back. > Sounds like you are doing the right thing. The reason I asked about the phpnuke package is just like phpbb there are known security holes in those packages. > I only sign I had time find was that vsftpd's log file was missing.. > It's been awhile now attempts have been made to get in via ssh and > guessing login username/passwords, btu those attempts seemed to be just > bots , and were never even close. I guess when I mount the partion ro > I'll take a quick look a the logs. Make sure you change all passwords used, don't re-use any passwords from the old system, permanently retire any that you used on that system. Review all packages you install and check all services made available over the network. Any possibility this was done by someone that was given access to the system? You may want to check various user accounts you have granted on the system to see if there is anything suspicious there. -- Scot L. Harris webid@xxxxxxxxxx HELP! MY TYPEWRITER IS BROKEN! -- E. E. CUMMINGS
