LinuxSA Mailing list archives

  From: Alan Kennington <akenning@dog.topology.org>
  To  : Andrew Pullin <andrew@hotspurbgc.com.au>
  Date: Sun, 4 Feb 2001 14:53:02 +1030

Re: I've been spammed! And Violated! and Compromised!

On Sun, Feb 04, 2001 at 01:16:54PM +1100, Andrew Pullin wrote:
> 
>     My question is this: What do I do now before I destroy
> all the evidence? This is the first time I have been
> penetrated, so I just don't know. Who do I have to notify
> about this? What evidence do I have to present to them? Is
> there anything in particular I should keep to show people?
> Is there anywhere in the logs etc. I should check
> specifically (I have checked the obvious ones in /var/log/)?

Andrew,

I agree with Mark.
Hacking a computer to send spam is somehwat unlikely.

My personal recommendation for tracing attacks is to get
a big disk and run "tcpdump -w filename" all day on your
main link to the internet.

IN a real break-in, they say that /etc and /tmp and /var/tmp
should contain useful clues.

More likely, you just have to update "sendmail".

Cheers,
Alan Kennington.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject