Successful SSH Attack - Need help cleaning up

Gabriel Gunderson gabe at
Fri Oct 27 16:09:02 MDT 2006

On Fri, 2006-10-27 at 15:00 -0600, Daniel wrote:
> I have people accessing this server who don't know much about
> computers and get freaked out when some thing changes.  Will they
> notice something has changed when they use it the first time after the
> reinstall?

I wouldn't do anything if that's the case.  Just try to find who's done
this (their IP address is a good start) and explain your situation to
him.  I'm sure he'll probably understand since he works with computers
and computer illiterate people also.  With any luck, he might also share
which other files need to be "cleaned up."

If that doesn't work, you *could* try to explain to your users that you
had to reinstall because you had no way to verify that the guy wasn't
gathering their passwords and IP addresses as they logged onto the
server.  Perhaps they might understand if they knew that all their
information stored on the was, for a time, in the hands of a cracker.

No really, take good advice when it's offered.  Preserve what evidence
you can, quarantine all files until checked-out and reinstall.  This is
your *only* *real* option, especially if the cracker is not some script
kitty and sophisticated enough to produce a "homegrown rootkit."

Overlook my sarcasm.  I'm genuinely sorry to hear that you've been
cracked.  I wish you luck.

Gabriel Gunderson

More information about the PLUG mailing list