Re: HELP, my Debian Server was hacked!
tar up your /proc/ directory
to save a copy of your kcore - it should have useful information unless he
managed to zero out all the memory that was being utilized during the break
in.
turn the box off but make sure it don't delete crap, watch out for logic bombs
or what not.
remove the disk and mount it on another box -o ro (read only) and do your
analysis there.
On Tuesday 22 April 2003 13:00, Christian Könning wrote:
> Hello List,
>
> I hope this is not of topic:
>
> My private server has been hacked:
> debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid.
>
> now my problem: the intruder used a rootkit, i think, cause he deleted
> /var/log, symlinked /root/.bash_history > /dev/null, etc.
> Is there any way to recover the evidences, e.g. the /var/log/ directory?
> (ext2)
>
> and there three sh processes running as root? Ptrace exploit?
> how can i dump this processes to file, to keep this evidence?
>
>
> Thanks for help
--
------------------------------
Orlando Padilla
http://www.g0thead.com/xbud.asc
------------------------------
Reply to: