Re: HELP, my Debian Server was hacked!

To: Christian Könning <christian@koenning.org>, <debian-security@lists.debian.org>
Subject: Re: HELP, my Debian Server was hacked!
From: xbud <xbud@g0thead.com>
Date: Tue, 22 Apr 2003 15:07:13 -0600
Message-id: <[🔎] 200304221507.13785.xbud@g0thead.com>
In-reply-to: <[🔎] 003b01c30901$66713ba0$237cfea9@liquix>
References: <[🔎] 003b01c30901$66713ba0$237cfea9@liquix>

tar up your /proc/ directory 
to save a copy of your kcore - it should have useful information unless he 
managed to zero out all the memory that was being utilized during the break 
in.

turn the box off but make sure it don't delete crap, watch out for logic bombs 
or what not.

remove the disk and mount it on another box -o ro (read only) and do your 
analysis there.

On Tuesday 22 April 2003 13:00, Christian Könning wrote:
> Hello List,
>
> I hope this is not of topic:
>
> My private server has been hacked:
> debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid.
>
> now my problem: the intruder used a rootkit, i think, cause he deleted
> /var/log, symlinked /root/.bash_history > /dev/null, etc.
> Is there any way to recover the evidences, e.g. the /var/log/ directory?
> (ext2)
>
> and there three sh processes running as root? Ptrace exploit?
> how can i dump this processes to file, to keep this evidence?
>
>
> Thanks for help

-- 
------------------------------
Orlando Padilla
http://www.g0thead.com/xbud.asc
------------------------------

Reply to:

Follow-Ups:
- Re: HELP, my Debian Server was hacked!
  - From: David Ehle <ehle@agni.phys.iit.edu>

References:
- HELP, my Debian Server was hacked!
  - From: Christian Könning <christian@koenning.org>

Prev by Date: Re: HELP, my Debian Server was hacked!
Next by Date: Re: HELP, my Debian Server was hacked!
Previous by thread: Re: HELP, my Debian Server was hacked!
Next by thread: Re: HELP, my Debian Server was hacked!
Index(es):
- Date
- Thread