Re: System compromised --Vanished ?

[Adam Tauno Williams <adam@xxxxxxxxxxxxxxxx>]

>>I am fairly new to Linux, running RH 6.2 on @home
>>network.  Anyway I installed a new soundcard and when
>>system powered back up I got some strange boot
>>messages.  They went by fast so i couldnt get them all
>>but here are a few:
>>..vanish2.tar.gz
>>unable to locate /var/logs/httpd/access.log
>>unable to locate /var/logs/httpd/errors.log
>>-rf user/home/home not found
>>your tracks are covered..
>>VANISHED ! !
>>Eth0 Eth0 in premiscous mode
>Doesn't look good!  I recommend you disconnect that box
>from the internet while you determine if you've been cracked.
>Disconnect so a cracker doesn't use your box to break into 
>other sites on the internet and to protect your data.

Yes, do this.

>I think you have some reading to do about security.  There 
>are plenty of books and sites on the internet dedicated to
>that subject.

At least disable telnet and NFS/portmap or install TCP wrappers if you need
those services on your local net.  A firewall is best.  Some services that are
"ON" by default on RH6.2 are not so secure.

>>Well anyway did some script kiddie get me? Why
>>suddenly does my Eth0 say its in premiscous mode?(and
>>what is that).
>It means he's probably running a sniffer on your network.

Neat!  Cable networks can be sniffed, and now someones actually doing it!  I
wondered how long it would take before I knew someone this happened to.

One good thing might be to portscan yourself and see what services the scanner
thinks you have going.

Linux boxes are generally more secure than Win32 boxes,  but their alot more
dangerous once their busted open.  He could do illegal things FROM your box so
you really should unplug that box till you find out what he did.

Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW.
Grand Rapids, MI. 49505