Re: Server hacked - next...?

To: "Jason Lim" <maillist@jasonlim.com>, <debian-isp@lists.debian.org>
Subject: Re: Server hacked - next...?
From: Russell Coker <russell@coker.com.au>
Date: Sun, 29 Jun 2003 15:49:00 +1000
Message-id: <[🔎] 200306291549.00472.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 04ca01c33dfb$6dce7b40$0800a8c0@SYSTEM8>
References: <[🔎] 04ca01c33dfb$6dce7b40$0800a8c0@SYSTEM8>

On Sun, 29 Jun 2003 15:00, Jason Lim wrote:
> One of our servers was hacked (woody)... badly, from what I can see. A

From the ps output it appears that the hack originated from the web server or 
a CGI-BIN script it ran.

As they ran modprobe I guess they got root.  :(

The recommended method is to backup configuration files and data and reinstall 
the machine from scratch.

Fighting off a hacker who is already in your machine as root is difficult.  
Doing it properly is more difficult than preventing them cracking your 
machine in the first place.

Best to reinstall.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>

References:
- Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>

Prev by Date: Bill Gates' ludicrous ideas to "block spam"
Next by Date: Re: Server hacked - next...?
Previous by thread: Server hacked - next...?
Next by thread: Re: Server hacked - next...?
Index(es):
- Date
- Thread