Server hacked - next...?
Hi all,
Well... bad day for me.
One of our servers was hacked (woody)... badly, from what I can see. A
whole bunch of binaries have been modified, and strange processes are
running on the server. The hack date appears to be jun 6.
Is there a document somewhere, or procedure, to recover after this? This
is a working and running system, so somehow need to be able to recover
from this with minimal impact to end-users.
Some things like:
www-data 17451 0.0 0.0 2164 928 ? S 02:31 0:00 /bin/sh
www-data 21550 0.0 0.0 1232 236 ? S 05:02 0:00 ./x
www-data 21551 0.0 0.0 0 0 ? Z 05:02 0:00 [x
<defunct>]
root 21552 0.0 0.0 0 0 ? Z 05:02 0:00 [modprobe
<defunc
root 21554 0.0 0.0 2148 912 ? S 05:02 0:00 /bin/sh
root 21755 0.0 0.0 2164 948 ? S 05:02 0:00 /bin/sh
root 21801 0.0 0.0 2180 964 ? S 05:03 0:00 /bin/bash
./troja
root 22010 0.0 0.0 1244 204 ? S 05:03 0:00 ./siz
ifconfigx /
root 12267 0.0 0.0 0 0 ? Z 07:15 0:00 [date
<defunct>]
root 12266 0.0 0.0 1264 252 ? T 07:15 0:00 date +%d
Anyone seen anything like this? Could this be the kernel hack ppl were
talking about affecting 2.4.17?
Guess you guys would know a lot about this stuff...
Any help and suggestions greatly appreciated.
Sincerely,
Jas
Reply to: