[Tfug] Server Compromise
Rich
r-lists at studiosprocket.com
Thu Sep 27 16:03:47 MST 2007
Check inittab for stuff respawning.
I'd take it down for as long as it takes to restore a recent good /
etc, /sbin and /usr/sbin and boot into a known kernel. Then start
plugging holes.
R.
On Sep 27, 2007, at 2:01 pm, Chris Hill wrote:
> Hi all,
>
> I've got a major headache today, looking to see if someone might be
> able
> to help. We've got a server, its been compromised with a phishing
> scam.
> It looks like its very possibly has been rooted. I cannot fully
> turn off
> the box but we are pulling all non-essential services off the public
> net. If anyone can help me figure out how bad things are that would be
> really cool.
>
> I am working on the assumption we are rooted, mainly because the user
> has copied files as root to the box into /tmp and /var/www. I removed
> the /var/www files and he put them back and made it so that i cannot
> delete them( even as root ) . I'm also assuming that my ls, lsattr,
> chmod, chown, chattr, etc. files are hacked, which is why i cannot
> delete the /var/www files.
>
> If you're able to look at the box and see if you can help me delete
> these files and figure out what's going on, that'd be great!
>
> Thanks
> C
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
More information about the tfug
mailing list