[plug] Compromised

[Bernard Blackham]

Hmmm, pull the network card on it? or the modem? if that's plausable.
How's you're firewall?
Change root password. If they're logged in as a shell, type w to see who
exactly is logged on. It should give you something like (this is from
mine):

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
root     tty1     -                12:26pm 11:08m  0.06s  0.06s  bash           
bernard  tty2     -                12:27pm 11:07m  7:26   0.04s  bash           
bernard  pts/0    :0.0             11:30pm 10.00s  0.17s  0.17s  pine 
bernard  pts/1    :0.0              9:49pm 49:52   0.07s   ?     -
bernard  pts/2    :0.0             10:50pm  0.00s  0.09s  0.03s  w 
bernard  pts/3    :0.0             11:15pm 25:38   0.07s  0.01s  vi invite

If there's anybody there that shouldnt be, find & kill them, for
example if it was the last one on that list, type
  ps ax | grep pts/3

to give:
14880 pts/3    S      0:00 -bash
14907 pts/3    S      0:00 vi invite

and then type kill 14880 and kill 14907 and anything. This is how I would
do it from what I know (which isnt much). There are probably better and
quicker ways. If it's a login shell they've gained then it'll stop them.
Make sure you've changed the root password, and perhaps any others. Your
firewall should really have the telnet port blocked, and most of
everything. Supposedly you can run a server with the only port open being
ssh (Secure Shell) if you really need it.

As to see what they've done, perhaps browse through the .bash_history file
in /root/ if it's there. Anything more advanced is out of my league,
unless you have tripwire or something similar installed.

Hope this helps,

Bernard.

 -- 
 Bernard Blackham
 dagobah at mad.scientist.com

On Sat, 30 Sep 2000, Oliver White wrote:

> Hi folks... I hope some of you are up late. I have a feeling some script
> kiddy has root on my box.
> 
> Can anyone suggest what action I should take right now?
> 
> 
>