On Sat, 14 Jun 2003, eyem wrote: > Hello, > > I think my box has been compromised...... its my first time and it is a > rather unpleasant experience!
Yes, it sounds as if you have been, and yes, it is not fun. I sympathize (only happened to me once, which was more than enough). > I found some stuff in /dev, hdx1 and hdx2 .... is that normal? Hard to say. Are they device files? If they aren't, investigate them to try to figure out what's going on (get them to a known good machine, run strings on them, for starters. Try to find commonalities with known rootkits. If you have the skill, disassemble them. If not, run them in a sandbox on a machine you can afford to rebuild and see what they do.). > Anyway, I have no idea where to go from here. > I dont know if it will be just a couple of things to fix up, or if I should > toast my whole system: major major hasstle) Best practice is to pull the network plug and investigate how the attacker got in. Then, redeploy with that problem (and any other problem you found during forensics) fixed. Frequently in the real world, that isn't possible. Then you have to fall back on a reinstall and restore from backups, and watch what happens in from an extremely paranoid stance. You really don't want to attempt a cleanup, because you never know if you found every potential trap, so you can never trust the machine again. Not the sort of thing you want on your network. Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. -j -- Jamie Lawrence [EMAIL PROTECTED] A computer without a Microsoft operating system is like a dog without bricks tied to its head.
