Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I was hacked, need some help.

Status
Not open for further replies.
Albion

Albion

IS-IT--Management
Aug 8, 2000
517
US
I am running

Linux 2.2.18
WU-FTPD 2.6.0 port 20 & 21
Apache 1.3.3 port 80
SSHD2 2.2.0 port 22
Sendmail 8.9.3 port 25

My firewall blocks all other ports below 1024.

I was able to find the hacker because a cron log showed a failure on a directory named "./.. /.dir". After looking a little deeper I found that the hacker had installed sshd and a sniffer. The hacker had also removed /var/log/messages, added entries to /etc/rc.d/rc.system and added an entry to /etc/inetd.conf. I found an ftp connection in /var/log/secure from a person at home.com and a stale FTP session from the same address in netstat, but the only way I can link the two is by the dates and times which were around the same time which was stamped on the programs and edits the hacker left.

Is there anything I can look at to find who this person is or where they came from?

Should I block any ports above 1024 on my firewall? If so which do I need to leave open?

Is there anything I should upgrade in the software I am running on open ports?

Please don't hammer me with flames because I am trying to learn here. A little help would be appreciated.

thanks.

-cm
 
Sort by date Sort by votes
Hi Albion,
If you have the IP Adress of the Hacker and the exact times when he was there then you can go to RIPE( There is a Database which Provider is behind this adress. Usually there is an Emailadress of the responsible Administrator. With your information and their Logfiles they can find this guy. Usually they cannot give his name to you, but most serious ISPs will check this fact and if is proof they will close that account.
But nevertheless breaking into a computer is illegal. You should think about reporting this to police (depends on the country where the Hacker and you are living)

Your second question: Close all ports which you are not using. That depends on your applications.

Last Tip: Find the security hole, close it and post it here to help other system administrators.

hnd
hasso55@yahoo.com
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
238
Krus1972
Krus1972
SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
643
gbaughma
gbaughma
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
299
spamjim
spamjim
Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
139
Steve Bowman
Steve Bowman
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
230
daniel.warner
daniel.warner

Part and Inventory Search

Sponsor

Back
Top