Re: HELP, my Debian Server was hacked!
While the earlier advice is probably the best advice, don't forget to run
chkrootkit.
I recently had the same thing happen to one of my machines. I've found a
kit in /dev/proc/fuckit
The total nuking of /log makes this look like a very amature job. If they
were hot they would edit the appropriate logs and retouch the dates ect
leaving less blatant signs.
I can't totally rule out a physical hack as it is an office machine, but
it it was network I really want to know what in sarge can be so blatently
abused. (nightly apt-get update && apt-get upgrade)
David.
On Tue, 22 Apr 2003, xbud wrote:
> tar up your /proc/ directory
> to save a copy of your kcore - it should have useful information unless he
> managed to zero out all the memory that was being utilized during the break
> in.
>
> turn the box off but make sure it don't delete crap, watch out for logic bombs
> or what not.
>
> remove the disk and mount it on another box -o ro (read only) and do your
> analysis there.
>
>
> On Tuesday 22 April 2003 13:00, Christian Könning wrote:
> > Hello List,
> >
> > I hope this is not of topic:
> >
> > My private server has been hacked:
> > debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid.
> >
> > now my problem: the intruder used a rootkit, i think, cause he deleted
> > /var/log, symlinked /root/.bash_history > /dev/null, etc.
> > Is there any way to recover the evidences, e.g. the /var/log/ directory?
> > (ext2)
> >
> > and there three sh processes running as root? Ptrace exploit?
> > how can i dump this processes to file, to keep this evidence?
> >
> >
> > Thanks for help
>
> --
> ------------------------------
> Orlando Padilla
> http://www.g0thead.com/xbud.asc
> ------------------------------
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: