Re: find_ddos results

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Wed, 15 Nov 2000, Karl Malivuk wrote:

> I am new to UNIX/Linux and just brought my first Linux box online. I am
> using it as a test machine before bringing up as a production host. I just
> received and installed find_ddos this morning and got the log listed below.
> I sent a copy to our campus security director who suggested I contact you.
> Where do I go from here?

Well, that would seem to mean that you got broken into.  If you don't care
to follow up, just re-format the drive and install Linux again.  This
time, you might want to take care to turn off unneeded services, and make
sure all the latest patches are on.

If you want to do more than that, you could offer to make the file in
question available, since it looks like it might be a variant.  You could
also invite someone to log into the box to do forensics work for you,
though how you are going to know who to trust for that, I can't say.

You mentioned a campus security guy... who apparantly declined to check
out what is likely a hacked box on his net.  Is information security his
primary job there?

                                        Ryan