Questions... The Intruder...

Slide Image
Previous slide Next slide Back to the index View text version

Notes:

The first things they noted out of place were some unusual nntp activity. The system does not provide news service and they had been unaware that inn was running!

Lesson: Always know what services are running on your system. If you don't know, either find out or turn it off!

This had been noted weeks before trouble began.

They later noticed that /bin/false had been changed to a directory containing numerous system programs. This usually indicates the presence of a root kit on the system.

After correcting the obvious problems and upgrading the system programs the hacker returned and changed the root password on them.

Other than loss of root access, normal operation seemed unaffected.