[Tfug] Server Compromise
Chris Hill
ubergeek at ubergeek.tv
Thu Sep 27 14:01:17 MST 2007
Hi all,
I've got a major headache today, looking to see if someone might be able
to help. We've got a server, its been compromised with a phishing scam.
It looks like its very possibly has been rooted. I cannot fully turn off
the box but we are pulling all non-essential services off the public
net. If anyone can help me figure out how bad things are that would be
really cool.
I am working on the assumption we are rooted, mainly because the user
has copied files as root to the box into /tmp and /var/www. I removed
the /var/www files and he put them back and made it so that i cannot
delete them( even as root ) . I'm also assuming that my ls, lsattr,
chmod, chown, chattr, etc. files are hacked, which is why i cannot
delete the /var/www files.
If you're able to look at the box and see if you can help me delete
these files and figure out what's going on, that'd be great!
Thanks
C
More information about the tfug
mailing list