[SunHELP] Tracking Hacker ?
Jeff Feller
sunhelp at sunhelp.org
Tue Apr 24 21:55:48 CDT 2001
Hello Sun Admin's,
I logged into my SPARCstation 5 tonight (which runs Solaris 8) and a
message of "you been hacked" was on my screen. Someone some how gained
root access and put that in my /etc/motd file. I noticed it was last
modified APRIL 24 at "18:52" so I did a last -10 to see who had been on.
Apparently they covered up their tracks because it only showed MY logins
and NO logins around the time this happened. The only other guy who has
root access to this system is on his way home from Denver, CO and has NO
ACCESS to the net right now.
Which steps can be taken to find out who had done this or at least how
they got in?
None of my log files in /var/log have any clue.. /var/adm/messages would
have had something but everything was removed from the time it happend and
before.
ANY IDEA's that can help me are **GREATLY** appreciated. After this had
happened, I also checked my inetd.conf and probably should have shut down
basically ALL ports before hand because the only access anyone needs to
this is RARELY ftp and mostly ssh. Thank you!
Jeff Feller
More information about the SunHELP
mailing list