Re: Server hacked - next...?
Okay... so supposing the whole system needs to be installed, we can make a
backup of the home directory now... but after we restore everything, what
is to stop the hacker immediately re-gaining access again?
The server is a fully updated "stable" debian system. In fact, it was
updated just yesterday.
I'm thinking that even if we do all the trouble of a complete
re-installation of the entire system, it won't fix this as it will get
re-hacked again, especailly since we can't see what is going on anymore.
What do you think? :-(
This really, really sucks.
----- Original Message -----
From: "Dena Whitebirch" <shore@quasar.net>
To: "Jason Lim" <maillist@jasonlim.com>
Sent: Sunday, 29 June, 2003 2:16 PM
Subject: Re: Server hacked - next...?
>
> Hi Jason,
>
> My condolences! We've been cracked twice, both times on RH boxes, (in
10
> years...so it's really not so bad) so we've got a bit of a system for
> cleaning up. I applaud you for wanting to clean up correctly. I've
> seen/heard too many horror stories out there where a user on someone
> else's system writes to me and shows me their cracked site and their
> host makes no apparent efforts to secure the box correctly.
>
> I'd like to offer any assistance I could give you. This is the time of
> year it always happened to us. School's out and people get bored ;)
>
> The first thing you can assume is the cracker probably has all the
> usernames and passwords on your system. You can also suspect that your
> logs and everything else on your system *may not be* telling you the
> truth any longer.
>
> The liklihood that you'll need to rebuild from scratch is high. It will
> probably, however be possible to maintain some/many user services while
> you do this after securing the box. The first step to this is normally
> to lock all users out by changing their passwords until they all change
> them.
>
> You'll next want to consider the cracker's motives...there are a few
types
> of crackers. If you can figure that out it will help you decide what
they
> may have done and the extent of the damage. Sometimes they truly want
to
> harm you, and sometimes they want to plant things on your server so they
> can play with people on IRC, etc.
>
> sans.org has a pretty good section on cleanup if I remember correctly.
>
> Let me know what else I can do to help. (And don't berate yourself too
> badly if you're tempted to do so! Most any server can be cracked.) You
> may never know for sure how you got cracked as there are so many ways.
> Any system with users, usernames/passwords, clients uploading insecure
> scripts, etc. will always be somewhat vulnerable.
>
> -Dena
>
> -=Dena Whitebirch=-
> @quasar Internet Solutions, Inc.
> "Internet Powered by Experience"
> --------------------------------------------
> Register .MART domains and more @quasar!
> http://quasar.net/
>
> On Sun, 29 Jun 2003, Jason Lim wrote:
>
> > Hi all,
> >
> > Well... bad day for me.
> >
> > One of our servers was hacked (woody)... badly, from what I can see. A
> > whole bunch of binaries have been modified, and strange processes are
> > running on the server. The hack date appears to be jun 6.
> >
> > Is there a document somewhere, or procedure, to recover after this?
This
> > is a working and running system, so somehow need to be able to recover
> > from this with minimal impact to end-users.
> >
> > Some things like:
> >
> > www-data 17451 0.0 0.0 2164 928 ? S 02:31 0:00 /bin/sh
> > www-data 21550 0.0 0.0 1232 236 ? S 05:02 0:00 ./x
> > www-data 21551 0.0 0.0 0 0 ? Z 05:02 0:00 [x
> > <defunct>]
> > root 21552 0.0 0.0 0 0 ? Z 05:02 0:00
[modprobe
> > <defunc
> > root 21554 0.0 0.0 2148 912 ? S 05:02 0:00 /bin/sh
> > root 21755 0.0 0.0 2164 948 ? S 05:02 0:00 /bin/sh
> > root 21801 0.0 0.0 2180 964 ? S 05:03 0:00
/bin/bash
> > ./troja
> > root 22010 0.0 0.0 1244 204 ? S 05:03 0:00 ./siz
> > ifconfigx /
> > root 12267 0.0 0.0 0 0 ? Z 07:15 0:00 [date
> > <defunct>]
> > root 12266 0.0 0.0 1264 252 ? T 07:15 0:00 date
+%d
> >
> > Anyone seen anything like this? Could this be the kernel hack ppl were
> > talking about affecting 2.4.17?
> >
> > Guess you guys would know a lot about this stuff...
> >
> > Any help and suggestions greatly appreciated.
> >
> > Sincerely,
> > Jas
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> >
>
>
>
Reply to: