- Oct 24, 2000
- 1,090
- 1
- 0
So someone was able to log into one of my friend's linux boxes (he's got several sitting on a T1) as root.
They originaly started out by trying to log in with FTP and were unsucsesfull. Next, they got in with SSH. Logged in and set up their own user. How can we find out what else was compromised? Any way to see what it was that was done while they were logged on?
Should we even try to recover the box or just scrap it and start fresh? We changed all his passwords and they were still able to log right in two days later.
They originaly started out by trying to log in with FTP and were unsucsesfull. Next, they got in with SSH. Logged in and set up their own user. How can we find out what else was compromised? Any way to see what it was that was done while they were logged on?
Should we even try to recover the box or just scrap it and start fresh? We changed all his passwords and they were still able to log right in two days later.