So, it's interesting to see that my machine was broken into around September 19, 2002. It wasn't the first time that a machine of mine has been broken into -- it's probably the third or fourth time in the three or so years that I've had a machine up on the Internet. When one puts a machine up on the Internet, they are just begging for someone to break into it because, like a house or a car, if its there and nobody is watching, someone will definitely try to break in. Here are some things that I found while rebuilding the UltraMookie.Com box that concern security. The safest box is one that has no network connection, but even then a physical attack or local attack is quite possible. But, I'm not interested in discussing that aspect. This last break-in was significant because of the results. First, this was the first compromise that actually took down the network that my machine was on; this was my entire fault -- explanation later. The second is that this compromise yielded a call from the FBI. The call from the FBI was totally unexpected, especially when one takes into account the small operations of the UltraMookie.Com box: email for less than ten people, a website that yields less than 100,000 hits every six months, and no other services.
What I learned from this experience is a lot. I'm sure that this is all basic stuff for some UNIX security people, but I'd like to share it with others "just in case." The first and most important thing to remember is that if your machine is compromised the first thing you should do is take it off the network and turn the thing off. Don't worry about email or lost web hits, if you don't remove the machine you take a huge risk. I didn't take my machine down immediately and I suffered. Here's what happened. The intruder was able to replace some important binaries on the machine. They were also able to add an account and also take the password file. They were able to lock me out of any access to the machine