LinuxSA Mailing list archives

  From: Andrew Pullin <andrew@hotspurbgc.com.au>
  To  : <linuxsa@linuxsa.org.au>
  Date: Sun, 4 Feb 2001 13:16:54 +1100

I've been spammed! And Violated! and Compromised!

Hi All,
    Well I suppose it was just a matter of time, but someone
broke into my system and used me to spam yesterday. I think
that I have blocked the immediate holes, but I plan on
reinstalling the server again in case they left behind any
nasties to try again later.

    My question is this: What do I do now before I destroy
all the evidence? This is the first time I have been
penetrated, so I just don't know. Who do I have to notify
about this? What evidence do I have to present to them? Is
there anything in particular I should keep to show people?
Is there anywhere in the logs etc. I should check
specifically (I have checked the obvious ones in /var/log/)?

    I got an E-Mail from orbs today, but I already knew I
had been broken into and had been spamming, and had removed
all the leftovers from the message queue.

    O.K. next question is: Where do I go look, and what do
people suggest about stopping it happening again? I have
been directed to www.insecure.org and www.psionic.com to get
things like Tripwire, Portsentry and Logcheck, and I had
already turned off all my ports not being used etc and ftp.
I will have another read of the Security HOWTO also.

    Thanks for listening all, I am sure it will promote some
healthy discussion.
        Cheers!
            Andrew.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject