Security Incidents: info

["Joe T." <auximini () yahoo com>]

Hello,

I was recently asked to check out a linux computer as the person said it was 'acting
funny'. I took a quick peek in webmin and saw a couple users with uid 0. I immediately
know the box had been hacked.

Upon further inspection through ssh, I found the following things:
- /var/log is gone
- the tripwire database is gone
- a couple hidden home dirs corresponding to the uid0's
- a file called spackit.c, the Super PakiT.. looks like a DoS program.

The person told me that people have been receiving viruses coming from one of the hacked
accounts.

I would like some opinions, advice, or info on:
- is there any way to view records? webmin has a 'last logon' option, but now that
/var/log has been blown away, its not working right..

- what is spakit.c? anyone ever heard of it?

- any other recommendations? I'm pretty proficient in linux, but this is the first time
ive ran into a hacked box. from my past reading, i know the steps are to try and recover
any data not malformed and reinstall. any other pointers?

thanks,

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com