Re: HELP, my Debian Server was hacked!
Hi,
Boot your machine in single user.
Run a md5sum in /sbin/init and compare with a 'secure' machine.
Download http://www.chkrootkit.org and run it. It's recommended to run
chkrootkit using your own static binaries on another path or CDROM (you can see which binaries is
needed on chkrootkit website).
chkrootkit provides a 'string' binary. Run it on /sbin/init and look for
strange expressions (usually FUCK or something like that).
Its recommended to run a nightly apt-get update and apt-get upgrade to keep your machines
safe. :-)
There are a lot of exploits for openssl, the most used is
openssl-too-open and it can exploit an non-updated version of Woody.
On Tue, Apr 22, 2003 at 09:00:11PM +0200, Christian Könning wrote:
> Hello List,
>
> I hope this is not of topic:
>
> My private server has been hacked:
> debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid.
>
> now my problem: the intruder used a rootkit, i think, cause he deleted
> /var/log, symlinked /root/.bash_history > /dev/null, etc.
> Is there any way to recover the evidences, e.g. the /var/log/ directory?
> (ext2)
>
> and there three sh processes running as root? Ptrace exploit?
> how can i dump this processes to file, to keep this evidence?
>
>
> Thanks for help
>
> --
> Christian Koenning
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
Christiano Anderson <anderson@debian-rs.org>
http://people.debian-rs.org/~anderson
Porto Alegre/RS
Reply to: