Great Circle Associates Firewalls
(April 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: top 10 signs you've been hacked ?
From: Ronald Wiplinger <ronald @ mail . trace . com . tw>
Date: Fri, 10 Apr 1998 11:46:07 +0800 (CST)
To: Joseph Judge <joej @ ultranet . com>
Cc: firewalls @ GreatCircle . COM
In-reply-to: <000001bd6427$3420aa20$433b8018 @ judgej . ne . mediaone . net>


On Thu, 9 Apr 1998, Joseph Judge wrote:

> 
> Any have some entries for a "top ten signs you've been hacked" ?
> 
> 
> THANKS
> 
> 	-- joe
> 


1. You go to your computer and you find your harddisk is empty

2. You go to your computer and you find a file called "I was here" or
similar.

3. You find on your web page another one

4. You find on your web page, which looks very familiar to you the phone
number of the competior instead of yours.

5. You find that your password suddenly does not work

6. Your personal account does not allow you anymore to su, sudo

7. Everybody logging is member of the group 0, maybe they do not even need
a password. You find also neew accounts, prefered as "shutup" (next to
shutdown in the password file), somewhere a name like "toor" (which just
tell you, that the hacker might come from a FreeBSD box).

8. You try to find out what is going on, by examin the log files, but they
have only entries of the last minute.

9. You type ps -ax and you find a lots of people there. You kick them out,
they are still here and delete the log files all the time. You turn off
every service, but they are still there. You check the login binary and it
has another length but still the same date/time.

10. Somebody tries to use talk to you and offered you to help you on your
system, he even mention the price for this service, and emphesize that he
has nothing to do with the case.


You pull out the Router, the Ethernet cable, and make the only trust
full action: format the harddisk and re-install the system.


Almost all about happened to me in just 6 hours on 30th September 1997.
The University in Estland, from where the hacker came, did not show any
responisbility, even when you showed them the fragments of the logfile. 

Why??  because hacking is free, is not a crime, not covered by the law,
.....


What have I changed since then?
1. I look at each logfile very often 
2. Installed tripwire
3. Installed modified shells, which log everything what root is doing
extra in a hidden file, somewhere on the local harddisk, as well as on a
extra machine, which is only for logging anymore. From there we save it to
a one-time write able media.
4. No shells for anybody, except 2 people
5. Every service turned off that is not necessary
6. Upgraded to the newest version of software
7. subscribe to several security lists and study the messages carefully.


I am sure it is not all done what we could do, but I try as much as
possible.


bye

Ronald



References:
Indexed By Date Previous: Re: top 10 signs you've been hacked ?
From: Greg Dake <daker @ superior . net>
Next: Re: top 10 signs you've been hacked ?
From: Frank Cusack <fcusack @ voicenet . com>
Indexed By Thread Previous: Re: top 10 signs you've been hacked ?
From: Greg Dake <daker @ superior . net>
Next: Re: top 10 signs you've been hacked ?
From: Frank Cusack <fcusack @ voicenet . com>

Google
 
Search Internet Search www.greatcircle.com