[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suspect Web Server has been hacked :(

On Thu, Aug 30, 2001 at 10:11:42AM +0200, Joerg Wendland wrote:
> Hi Craig,
> On Thu, Aug 30, 2001 at 09:34:51AM +0200, Craig wrote:
> > I need to know if there is any software for debian to
> > detect the presence of backdoors or rootkits. I suspect
> > that our old debian web server has been compromised.
> This is what I would do:
> - check running processes: compare 'ps ax' with process
>   entries in /proc most rootkits hide processes via a patched
>   ps but cannot do so with the procfs

Unless they've installed a kernel module that messes around with
procfs or something.

> - scan the machine for unusual open ports and use lsof to find
>   out to which processes these ports belong, but be aware that
>   lsof might be rooted

You could also compare the output of netstat -tuln with a
portscan of the machine to see if they agree.

> - backup your data and reinstall the machine.

And don't backup any possibly trojaned binaries :)

Michael Wood

Reply to: