RH6.1/IPChains box hacked

[jhorner () KNOXLUG ORG (J. J. Horner)]

FYI:

I was hacked last week throught Bind 8.2.2_P3.  If anyone can look at my
logs and tell me some thoughts it would be good.  The intruder erased all
of the logs (/var/log/mesages*) on my box, but didn't notice or didn't
check to see that all logging was duplicated to another machine (*.*
@JJ1) in /etc/syslog.conf.

Here is what I have at the time around the hack.

I also have some files in my /var/lib/anaconda-rebuilddb955643425/
directory:

[jhorner@gateway anaconda-rebuilddb955643425]$ ls -la
total 204
drwxr-xr-x    2 root     root         4096 Apr 13 16:30 .
drwxr-xr-x   17 root     root         4096 Apr 13 16:30 ..
-rw-r--r--    1 root     root            0 Apr 13 16:30 conflictsindex.rpm
-rw-r--r--    1 root     root        16384 Apr 13 16:31 groupindex.rpm
-rw-r--r--    1 root     root        24576 Apr 13 16:31 nameindex.rpm
-rw-r--r--    1 root     root        40960 Apr 13 16:31 providesindex.rpm
-rw-r--r--    1 root     root        98304 Apr 13 16:31 requiredby.rpm
-rw-r--r--    1 root     root        16384 Apr 13 16:31 triggerindex.rpm

None of these are real RPMS, so I don't know what to do with them.

Any ideas?

--
J. J. Horner
Apache, Perl, Unix, Linux
jhorner () knoxlug org http://www.knoxlug.org/


<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: stored
</UL>

<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: stored
</UL>