Date: Tue, 22 Sep 1998 15:42:30 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Ping Mai <ping@stepnet.com>, freebsd-isp@FreeBSD.ORG Subject: Re: HELP: hacked by John the Ripper Message-ID: <3.0.3.32.19980922154230.00702db4@207.227.119.2> In-Reply-To: <199809221554.IAA02712@pushkar.stepnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:54 AM 9/22/98 -0700, Ping Mai wrote: >It seems my system has been hacked. The hacker altered the DNS tables and >left a passwd cracker in /bin. There were DNS db files that were invisible >to "/bin/ls", but they show up from "od" dump of the directory. Can someone >help me to find out how he got in initially? What should I do at this point? >Should I wipe the disk on this system? I'd take the server offline and replace the drive the OS is on. This would allow you to check out the hack in detail, which you can then work on a solution and you have evidence. Good idea to send a message to CERT as well as possibly contacting the FBI, if it means enough to you. Otherwise wipe the disk and reinstall. If you have more than one disk, make sure that there are no other suprises waiting and screen what you save. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19980922154230.00702db4>