What to do.
 

Get the Data:
1) on a different machine, download tct and burn it to a cdrom.
2) use memdump to get a memory image. Save it to another machine.
3) Poweroff (not shutdown) the machine.
4) dd the hd, so you have a clean image of what was done to the system.

Get the machine back up:
1) Re-install, off the network. If you /have/ to install 7.2, make sure you have as up-to-date rpms as possible and get all patches from progeny etc.
2) Get the machine configured to your statisfaction.
3) Disable *ALL* services you do not use.
4) enable your local firewall (for the machine, not the net) look at what services you are going to be using, and what machines they are talking to. EG: ssh might need to be turned on, but it probably only needs to answer machines on the network & maybe a couple of other machines -- restrict it to that.
5) run nessus against the machine. http://nessus.org , http://viewpoint-security.com/nessus_talk/siframes.html
6) take a look at the vulnerability reports, and lock it down per the instructions given.
7) tie things down locally: strong filesystem permissions, chrooting, remote syslog. **REMOVING** development tools.
8) Set up tripwire, or samhain, and KEEP UP TO DATE WITH IT.

Do Forensics:
1) http://www.securityfocus.com/guest/16691
2) http://www.emergency.com/fbi-nccs.htm


Good luck,
Nick Bernstein, http://viewpoint-security.com

Get planB, its a good forensics tool

http://www.projectplanb.org/main.htm

Re: What to do.
 

What is dd?

what kinda l33t h@x0r has to "man iptables"

haha, the guy that got on your rig is a script kiddie at best. He apparently knows some Linux basics but nothing above that. It appears as though he setup some IRC bouncers/bots, an ircd and a few other random things. I'd personaly back up, wipe everything, reinstall, setup a complete firewall system with iptables etc etc.

aa

Hai ...everybody.
Iam a newbie .so if my doubt is foolish plz forgive.Iddint understand anyof the comments u people have posted...Regarding the first post .How did u came come to know that ur bein hacked..Whats all that stuff u have posted.Is it a log of something..I am asking bcs my root password got automatically changed and i do access my machine thru telnet only and our server is placed in a secure host area so that nobody will manipulate it

So in nut shell my question is if my server is being hacked(as we ve telnet access) is it possible 4 me to find out who has done what at a particular time.Also is it possible to know whether some has rebboted my machine .etc .etc

hi guys ,
i was off for a long time , and this is the first post i read after a long time . it was fun :-)

That "Stuff" is roots .bash_history file. It will show the last commands that root ran. It can be found in /root/.bash_history.

Telnet is not a very secure means of connecting to a Linux/Unix server even in a LAN. If your root password has changed and you didn't do it or none of your co-workers have changed it then it's safe to say something happened that shouldn't have. You might want to get that machine off the network while you try to figure out what happened.

Most everything gets logged to your /var/log directory. Take a look at all the log files in there to see if there are dates/times frames missing or for anything that doesn't look right. There will probably be quite a few log files in there, and if you have your logs to rotate then you'll have multiple logs that end with <logfile>.1 <logfile>.2 and so forth. The one without the ext will be the most current.

Gr 8 reply thankuu very much for the information..