* * * * *
                                        
                            Now that's darned rude!
                                        
It's 5:30. I'm with some friends when I get beeped. It's my home number. I
call. It's my roommate. His RedHat 6.0 box was hacked. What should he do?

I mention a few things to look for, but it looks bad. Who ever broke in
either got spooked, or was feeling malicious and the final two commands we
found in the .bash_history file were:

> rm -rf /var/log
> rm -rf /*
> 

My roommate, Rob, [1] managed to stop it before it did more damage, but they
still wiped out /boot, /bin and parts of /dev. Using Tom's RootBoot disk [2]
he was able to survey the damage and then waited until I got home.

From what I've been able to determine, it appears that some script kiddie was
running a program to look for exploitable boxes (RedHat 6.0) because around
noon yesturday someone tried to FTP into my box and Rob's other box from
Harvard. [3] This said script kiddie then had a list of hosts to exploit
today and Rob's box was broken into and damaged around 5:30 pm EST.

Breaking in and looking around is one thing. Maliciously deleting files is
another.

[1] http://www.tragic-smurfs.com/
[2] http://www.toms.net/rb/
[3] http://www.harvard.edu/

Email Sean Conner at sean@conman.org

.