System is hacked

[staticx2]

I'm surprised no one suggested Ubuntu's live CD approach and rooting yourself that way. Would that be not an option and that I jumped the gun with a funny yet stupid suggestion?

[SCBrisbane]

How do you think they got in?

Is your 'buntu system full of messages like this in /var/log/auth.log?

Failed password for root from 124.35.54.185 port 53530 ssh2

[Don_Stahl]

Sheyl_Karakas, perhaps you can boot from a Ubuntu or Puppy or other live CD. Make the CD using Windows. Then perhaps you can copy your data from the Ubuntu machine. Of course, with a lot of media files you may need a big storage device...

If you can get the data off, then I would agree with the previous poster that a clean install is your best shot.

If you can't access the data from a live CD, then things get more complicated, I guess. You might try downloading specialized software such as the Trinity rescue disk:

http://trinityhome.org/Home/index.ph...g=en&locale=en \

and try to boot from that.

[houstonbofh]

1) If your linux box was actually hacked and not just broken, you simply can not trust it. There are some VERY good rootkits out there that will never be found.

2) If you can not boot into recovery mode, you can boot a live CD and mount your drive. At that pount you can use "chroot" to mount your old file system as a running system, but still running the live cd image. then you can fix any passwords.

3) Look at /etc/shadow (You will need to do it as root, so use sudo) and the root account should look like this...

Code:

root:!:15899:0:99999:7:::

If it looks like this,

Code:

root:$6$YvsDcBp$vCjxd.EvFcRu3F/mIR.tqtrDyXQOne41eCkbq//tR8r1psChdHRD2V0i0ILhABrZfuzwXIp1TZ658p9mnvZJm.:15899:0:99999:7:::

Then you have been given a root password. Change it back to lock them out. (Assuming no other rootkits, which ain't likely)