Re: Suspect Web Server has been hacked :(

To: "Debian-Isp" <debian-isp@lists.debian.org>
Subject: Re: Suspect Web Server has been hacked :(
From: wagnerc@plebeian.com (Chris Wagner)
Date: Fri, 31 Aug 2001 00:37:37 -0400
Message-id: <[🔎] 200108310437.f7V4bWQ07886@mail.goodnews.net>

I think it's probably too late for that.  The only way to be 100% about your
"disinfected" system is to fdisk it and rebuild from scratch.  You can save
your config files and data files, if you're sure they too haven't been
altered.  But say somebody relaxed an obscure security setting in some
config file that will make it easy for them to get right back in.

The only sure fire way of detecting what was done is to use something like
tripwire to take a snapshot of the system *before* it goes online again.
Then save that snapshot off-system on write protected media.  Like a floppy
disk with the write protect tab set or a CD.  Then do a nightly comparison
of the system to the snapshot.  But keep in mind that the comparison
software itself can be hacked so it should run off-system too.  Periodically
do manual scans, because if you just have a cron job running to alert you to
instrusion, somebody can just change the crontab to send you bogus
"alls-well" status reports, when in fact the thing ain't even running!!

At 09:34 AM 8/30/01 +0200, Craig wrote:
>Hi debian fellas
>
>I need to know if there is any software for debian to
>detect the presence of backdoors or rootkits. I suspect
>that our old debian web server has been compromised.
>
>..Craig

                    ---=<ALL YOUR BASE ARE BELONG TO US>=---
            ___/`<YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!>`\___

00000100

Reply to:

Prev by Date: dhcpd option static-routes and network routes.
Next by Date: Re: Apache not dropping port 80
Previous by thread: Re: Suspect Web Server has been hacked :(
Next by thread: Funny kernel antics
Index(es):
- Date
- Thread