I was HACKED BY ALEKS

guysoft · 03-14-2006, 12:44 PM

hello,
i run the server gnet.homelinux.com, on debian unstable.

this hacker replaced files in an installation of dokuwiki.

as i was using ssh to check the damage i got:

Code:

ssh_exchange_identification: Connection closed by remote host

i immediately switched off the PC.

when i switch it on what to look for? what might show that he sshed?

what to do in this situation?

gilead · 03-14-2006, 01:19 PM

I'd suggest getting that box off the network and then from another box go through the information on forensics and recovery at http://www.linuxquestions.org/questi...600#post222600. There's a lot of information there and it should help you determine what has happened.

guysoft · 03-14-2006, 01:28 PM

do you have something more specific? that list is full of sites, i don't know where to start.

gilead · 03-14-2006, 01:49 PM

To start with, you'll need to get the system off the network, back it up and check your log files to see if anything has been logged that points to what they've done. Your Apache logs and several of the files in /var/log (secure, messages, syslog) may have information. But if it was someone who knew what they were doing and gained sufficient access, they'll have tried to hide what they did.

It's worth going through the links on that page because going through the process may show that you weren't cracked at all. Or, if you were, you'll have a wide range of tools you can apply to find the problems. The first link in the forensics section (http://www.cert.org/tech_tips/root_compromise.html) goes through some steps to determine whether you've been cracked. I'd sugest you have a look in the "C. Analyze the intrusion" section and ask more questions here about what you find...