Slide 21 of 21
Notes:
Its much preferable to prevent hacking than to clean up the mess. If only one knew just what to do beforehand to prevent it.
After the event, theres always the worry that theyve
- taken a copy of the encrypted passwords and are now calmly cracking them
- installed some kind of snooper or trojan to report back on the victim system or on any other system on the same network
They may well have been in your system for some time before you discover it (indeed some 6 weeks in our case, and a couple of weeks in the case of other people we know)
Word gets around on the hackers bulletin boards and mailing lists, calling other hackers attention to ones insecure site; indeed, some time after the incident reported here, the Astronomers got worried by unexpected high levels of network traffic from one of their hosts and discovered an IRC server had been installed, apparently via a little-used account whose password had been discovered (we think: cracked).
In summary: it was a nightmare, and we still dont know whether weve done enough in response.