[CentOS] I've been hacked -- what should I do next?
John R Pierce
pierce at hogranch.com
Fri Dec 1 06:12:13 UTC 2006
Alfred von Campe wrote:
> My home system has been hacked. It's running CentOS 4.4, and I
> recently added an account to play around with Samba shares to back up
> PCs here at home. I had set a weak password for that account and
> forgot to disable it after my testing. I could hear the disk being
> accessed constantly, so I knew something was up. I disabled the port
> forwarding to my CentOS box on my Linksys router (only ports 22 and 80
> were being forwarded).
if for sure only 22 and 80 were forwarded, then it wasn't Samba.
There's no default account I see here on my 4.4 boxes named backup, was
that something you'd created? some package you'd installed?
what was on your website? any canned php scripting or whatever?
re: cleanup... look very carefully for directories in odd places with
. names
I'd run rkhunter to see if tehre's any other well known root kits on
your system.
More information about the CentOS
mailing list