Burn the logs /etc and /tmp to a CD also. You can always go back through them. However, I got a call from the FBI about 2 months ago asking for the logs from one of my old machines. Someone apparently got busted with a list of IP's that he had compromised and one was mine from my old DSL line. It was the ADMROCKS exploit. I caught it within an hour of the compromise and I fixed it right away. Anyway, they were going to prosecute the guy and they wanted as much evidence as possible. Apparently, he was setting up a huge DDoS network. I learned a very important thing from this though, chroot everything you can, especially BIND. Stock linux installs are pathetically insecure also. A default Mandrake install has about 15 tcp ports hanging open, and Red hat is not any better. Jay > -----Original Message----- > From: sos at zjod.net [mailto:sos at zjod.net] > Sent: Thursday, December 14, 2000 12:51 AM > To: tclug-list at lists.real-time.com > Subject: Re: [TCLUG] Could Someone tell me what might be > happening here. > > > Joseph Johnson wrote: > > > > > > > > > >> Yeah... you've been hacked. > > Ok so I wipe the drive re install how do prevent it from > happening again. > > Or if I leave it up can I catch whoever is messing around > or at least figure > > out why? > > Joseph > > Trying to catch these script-kiddies is a waste of time. > Chances are they're > using your box from _another_ hacked box... not directly from > where they live. > Since your original hack-daemon is controlled by a box in > Jordan, who are you > gonna call if you _do_ catch 'em? In the US, unless you've > suffered $10,000 > in damages, the FBI's "National Infrastructure Protection > Center Squad" > doesn't want to talk to you, while your state and local > police probably can't > even spell Linux. > > About your only _secure_ option is to re-install from > square-one (remembering > to also add security updates provided by your Linux distributor). > > To prevent a hacker reinfestation, if your Linux distribution > contains an > automatically configured firewall, install it. If not, get > one (I recommend > PMFirewall for newbies, see http://www.pointman.org). > > In addition to a firewall, consider obtaining and using: > - tcp-wrappers > - ip-logging > - shadow logging of system logs > - tripwire > - periodic backups to removable media > - install ssh to replace rcp & telnet > - turning off services you don't need (like rcp, > telnet, ftp, ...) > > and if you're still not scared away from Linux, have no life, > and like to > read, consider obtaining (at a list price of $48.99) and > reading "Linux System > Security" by Scott Mann and Ellen L. Mitchell (ISBN > 0-13-15807-0, 2000, > Prentice-Hall). > > Hope this helps'idly, > > -S > _______________________________________________ > tclug-list mailing list > tclug-list at lists.real-time.com > https://mailman.real-time.com/mailman/listinfo/tclug-list >