i was hacked little help plz?

[dbzeath]

one of my user accounts at least was hacked the problem i'm having is i can't see anything in any log files i'm running metalog they attacker/s created files in my ~/.xchat2/xchatlogs/ folder like

bash-2.05b# ls -ln /home/death/.xchat2/xchatlogs/
total 108
-rw-r--r-- 1 1000 100 0 Oct 13 18:55 203.59.30.93?
-rw-r--r-- 1 1000 100 0 Oct 13 18:56 ??
-rw-r--r-- 1 1000 100 235 Oct 15 01:03 AustNet-#chatterz.log
-rw-r--r-- 1 1000 100 435 Oct 15 01:03 AustNet-#comrads.log
-rw-r--r-- 1 1000 100 23590 Oct 15 01:25 AustNet-#perth.log
-rw-r--r-- 1 1000 100 596 Oct 15 01:20 AustNet-#perthdc.log
-rw-r--r-- 1 1000 100 3674 Oct 15 01:22 AustNet-#snz.log
-rw-r--r-- 1 1000 100 4133 Oct 15 01:20 AustNet-#w.a.log
-rw-r--r-- 1 1000 100 400 Oct 15 01:03 AustNet-#wa.log
-rw-r--r-- 1 1000 100 3051 Oct 15 01:25 AustNet-#wb.log
-rw-r--r-- 1 1000 100 4692 Oct 15 01:04 AustNet-austnet.log
-rw-r--r-- 1 1000 100 0 Oct 14 17:50 You
-rw-r--r-- 1 1000 100 0 Oct 13 18:55 ahah?
drwxr-xr-t 2 1000 100 12704 Oct 15 01:02 back
-rw-r--r-- 1 1000 100 0 Oct 13 18:55 hhggst089?
-rw-r--r-- 1 1000 100 2411 Oct 15 01:25 irc.freenode.net-#gentoo-amd64.log
-rw-r--r-- 1 1000 100 16139 Oct 15 01:25 irc.freenode.net-#gentoo.log
-rw-r--r-- 1 1000 100 3785 Oct 15 01:03 irc.freenode.net-irc.freenode.net.log
-rw-r--r-- 1 1000 100 695 Oct 15 01:20 irc2.waixreactor.net-#wb.log
-rw-r--r-- 1 1000 100 1837 Oct 15 01:03 irc2.waixreactor.net-irc2.waixreactor.
net.log
-rw-r--r-- 1 1000 100 0 Oct 13 18:55 it

i believe it is quite obvious what files belong and what don't could someone plz help me track down this person? that folder is the only place that i can see that has been altered

EDIT AFAIK they didn't get any root access

[xbmodder]

remove the user, rm -rf /home/death, add user back, set pass yourdeadifyoucrackthis

[daemonflower]

In addition, better check whether any files have been modified in /etc, and in /bin and /usr/bin as well. And at least I can find logins in /var/log/messages, maybe you find a clue there from where you were cracked.

[econan]

Try to find out why you were hacked and learn from that mistake. Do not repeat it again.

Also check if the cracker got root access and potentially put a rootkit to the system. Immediately remove the system from the network if you haven't done so. Get a knoppix like live CD and start investigating for possible rootkits. A good start would be STD Knoppix [http://www.knoppix-std.org/] I don't know how updated it is in STD but you can download the utility chkrootkit [http://www.chkrootkit.org/] for further rootkit investigations.

While making your investigations do not forget to mount your hard drive partition(s) read only.

Also if you do not have a critical information on that computer, i'd highly suggest to wipe it out and reinstall the OS. If not, if you are making backups, use a known non cracked backup version.

Good Luck.

[KozmoNaut]

In addition to chkrootkit, try rkhunter. It never hurts to check twice
_________________
War. War never changes.

[ikaro]

yeah and if your modem blinks, then its because they are still in ..
_________________
linux: #232767

[lousyd]

chkrootkit tells me:

[xbmodder]

wow i never knew linux could get a virus...
emerge clamav
edit you /etc/clamd.conf remove the example line
/etc/init.d/clamd start
clamd PING #(make sure this works)
freshclam
/etc/init.d/clamd restart
cd /
clamscan -r
EDIT
9:-clamscan
9:+clamscan -r

[daemonflower]

[xbmodder]

PING!!!!!!!!!11
listen to me clamav is never wrong.!!!!!!!!!!!
if ya want you can get a new set of glibc + gcc + binutils +coreutils

[ikaro]

I think your motherboard bios is infected with a trojan!

you should install another hard drive and switch your mouse ASAP!

spamware is very dangerous and if you use Internet explorer makes sure to disable cakes.
_________________
linux: #232767