1. You go to your computer and you find your hard disk is empty
2. You go to your computer and you find a file called "I was here" or
similar.
3. You find on your web page another one
4. You find on your web page, which looks very familiar to you the phone
number of the competior instead of yours.
5. You find that your password suddenly does not work
6. Your personal account does not allow you anymore to su, sudo
7. Everybody logging is member of the group 0, maybe they do not even need
a password. You find also neew accounts, prefered as "shutup" (next to
shutdown in the password file), somewhere a name like "toor" (which just
tell you, that the hacker might come from a FreeBSD box).
8. You try to find out what is going on, by examin the log files, but they
have only entries of the last minute.
9. You type ps -ax and you find a lots of people there. You kick them out,
they are still here and delete the log files all the time. You turn off
every service, but they are still there. You check the login binary and it
has another length but still the same date/time.
10. Somebody tries to use talk to you and offered you to help you on your
system, he even mention the price for this service, and emphesize that he
has nothing to do with the case.
You pull out the Router, the Ethernet cable, and make the only trust
full action: format the harddisk and re-install the system.
Almost all about happened to me in just 6 hours on 30th September 1997.
The University in Estland, from where the hacker came, did not show any
responisbility, even when you showed them the fragments of the logfile.
Why?? because hacking is free, is not a crime, not covered by the law,
....
What have I changed since then?
1. I look at each logfile very often
2. Installed tripwire
3. Installed modified shells, which log everything what root is doing
extra in a hidden file, somewhere on the local harddisk, as well as on a
extra machine, which is only for logging anymore. From there we save it to
a one-time write able media.
4. No shells for anybody, except 2 people
5. Every service turned off that is not necessary
6. Upgraded to the newest version of software
7. subscribe to several security lists and study the messages carefully.