If you are a system administrator, you should dread any time you use the normal “ls” command and receive a strange error in return. That is a sure sign that your machine has been hacked and ls has been replaced by an unknown program. Gnist blog has a nicely written step-by-step list of what you can do to track back an intruder.

In his case it sounds like the original owner of the machine may have used a weak root password on his machine, allowing for someone to crack it and break into the box. People, don’t forget to use a hard-to-brute force password, and finally disable root login s. Instead, use normal users and sudo.

Finally, if you are doing this in a legal setting and preparing for a possible future court case, don’t forget to make an image of the drive (using dd or Norton Ghost) before your analysis; otherwise the intruder can get your evidence thrown out.

Some other security resources:

You May Also Like

How To Turn Off Your Monitor Via Command Line in Ubuntu

As previously written on this blog, I have set up a display…

Convert Windows or DOS Encoded Files to Unix/Linux. (ANSI to UTF-8)

Windows files and Unix files (Redhat, Ubuntu, etc) are encoded in different…

Dead linux users?

Not dead as in dead, but dead as in the user has logged out of the system and for some reason their shell is still open. This might happen if your system crashes before you can log out, there are network problems and you are disconnected, or a number of other reasons. This article explains how to log these “dead” shell users out.

Force HTTPS SSL Access for a URL with Apache

The situation is: you have an web application or URL that you…