> Jonathan. > > ps. You did erase and reinstall your system after it was compromised, right? > This is certainly prudent advice. A good hacker will quickly get a few back doors installed in case you shut down their initial point of access (SSH). They may have created their own user account as well. You should check the following (and more no doubt), especially if you are considering not wiping and re-installing a fresh system to ensure it is clean. At least this will allow you to exercise some due diligence. And you should do these checks from a bootable CD as well as some from the actual booted OS if necessary. Examine the .bash_history file for your user and root. See if the person tried to su to root from your username. What other commands did they execute (cp, scp, ftp, wget, useradd, chmod, chown, path, and many other commands should be cause for alarm). Check the /var/secure file for failures and successes in su'ing to root as well as ssh to root. Check your path (can't just use the echo $PATH command from a bootable CD). Check for aliases. A hacker who cannot compromise the root account can still substitute some of your favorite commands with hacked commands and then modify your path or set up an alias so that their command gets executed before the real one. Check the .bashrc file for anything suspicious. Examine your /etc/passwd file for any new user accounts. Check iptables, /etc/hosts.allow and /etc/hosts.deny Some of the members on the list will no doubt suggest other things to check.
