New System taken over by unknown remote....
 

Hi. I had done a fresh install of Gentoo. Installed a few drivers needed. Installed x11.org . installed Gnome.

My computer was then left without any connection to the internet and was shutdown & unplugged for alittle over a month.

I reconnected and powered it up for the first time since. Not even 5 minutes after booting up to run updates and installs, I watched:eek::scratch: as someone had taken remote control of my system and running commands to force download files from some ftp server.:banghead::banghead::banghead::banghead:

How do I regain control of the system and secure it or am I SOL and having to reinstall from scatch again?

I know the information is located some where in the handbook but I was not locating it.

How do I protect a new install from future events of things repeating?

Unplug the system from your network and then go through your accounts and eliminate any remote access accounts, user accounts, reset passwords, and possibly implement a firewall through IPTables as well as look into the Hardening Linux handbooks around the internet on how to prevent a hacker from accessing and controlling your system.

How? Where? Describe what you saw. From what you are telling us, what you are seeing could just be the regular output from emerge on a terminal. Details, please.


Any casual attacker can't just break into your system using hocus pocus spells. They must reach a server that's running in your machine (apache, lighttpd, amule, mldonkey, mysql, etc.). At most they could break into your user account using specially crafter sites if you are running a vulnerable browser.

So, please, describe the real symptoms instead of telling us what your impressions are.

I agree: proper analysis and mitigation should be done first.

@OP: while no longer maintained the CERT Intruder Detection Checklist might help you focus your efforts if you don't know where to look.