Summing Up
Once they are in you have a big problem
- may have taken password file for cracking
- may have installed snooper or other trojan
They may be in for some time before you know it (some 6 weeks in our case)
Word gets around on hacker underground, attracts other hackers to the site
Astronomy later by chance found an IRC server running on their system, apparently via a cracked password.
Notes:
It’s much preferable to prevent hacking than to clean up the mess. If only one knew just what to do beforehand to prevent it.
After the event, there’s always the worry that they’ve
- taken a copy of the encrypted passwords and are now calmly cracking them
- installed some kind of snooper or trojan to report back on the victim system or on any other system on the same network
They may well have been in your system for some time before you discover it (indeed some 6 weeks in our case, and a couple of weeks in the case of other people we know)
Word gets around on the hacker’s bulletin boards and mailing lists, calling other hackers’ attention to one’s insecure site; indeed, some time after the incident reported here, the Astronomers got worried by unexpected high levels of network traffic from one of their hosts and discovered an IRC server had been installed, apparently via a little-used account whose password had been discovered (we think: cracked).
In summary: it was a nightmare, and we still don’t know whether we’ve done enough in response.