It's 5:30. I'm with some friends when I get beeped. It's my home number. I call. It's my roommate. His RedHat 6.0 box was hacked. What should he do?
I mention a few things to look for, but it looks bad. Who ever broke in either got spooked, or was feeling malicious and the final two commands we found in the .bash_history file were:
>
```
rm -rf /var/log
rm -rf /*
```
My roommate, Rob, [1] managed to stop it before it did more damage, but they still wiped out /boot, /bin and parts of /dev. Using Tom's RootBoot disk [2] he was able to survey the damage and then waited until I got home.
From what I've been able to determine, it appears that some script kiddie was running a program to look for exploitable boxes (RedHat 6.0) because around noon yesturday someone tried to FTP into my box and Rob's other box from Harvard. [3] This said script kiddie then had a list of hosts to exploit today and Rob's box was broken into and damaged around 5:30 pm EST.
Breaking in and looking around is one thing. Maliciously deleting files is another.