[CentOS] I've been hacked -- what should I do next?

Mon Dec 4 20:12:52 UTC 2006
Michael Kress <kress at hal.saar.de>

On 12/4/2006 8:24 PM, Alfred von Campe wrote:
>> You can use a whois database to find the info (for example, there's
>> web interface on www.ripe.net).  Info for indicates that
>> this IP address is alocated to an provider in South Korea.
> So I sent mail to the address (abuse at bora.net) listed in the whois
> record for that ISP, and it bounced!
> ...
> <badmail at bora.net|/webmail/mbox0/bora.net/513/badmail|2|512000|530259968|99999999|99999999|>:
>   Recipient's maiilbox is full, message returned to sender,
> (#5.2.2)allot:(524288000), usage:(530309120)

<humor style="flavour:black; weight: ultraheavy">
My theory: The admin was shot in his office and the gunman broke into
your system. After, nobody cared anymore for the dead man's mailbox.

Don't spend too much time into something that won't give you something
back in the end. You could traceroute to that guy and email the admin
from the hop just before that guy. Normally you get somebody there, but
neither will they pay anything to you nor will they shot the gunman back

> Maybe I'll try again after a few days to see if they cleaned up their
> mailbox.  Doesn't give me a warm and fuzzy feeling about that ISP,
> though.

Put his network on your iptables black list, that certainly gives you a
better feeling.


Michael Kress, kress at hal.saar.de
http://www.michael-kress.de / http://kress.net
P E N G U I N S   A R E   C O O L