[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

On Sun, 2003-06-29 at 17:15, Jason Lim wrote:
> Okay... so supposing the whole system needs to be installed, we can make a
> backup of the home directory now... but after we restore everything, what
> is to stop the hacker immediately re-gaining access again?
> The server is a fully updated "stable" debian system. In fact, it was
> updated just yesterday.
> I'm thinking that even if we do all the trouble of a complete
> re-installation of the entire system, it won't fix this as it will get
> re-hacked again, especailly since we can't see what is going on anymore.
> What do you think? :-(

I think you need to find out how they got in. look around for
.bash_history files to see what's in them (particularly in /root, but
with some compromises they get in with other directories as "HOME", so
they can be other places, like /).

Once you get compromised, it's pretty darn hard to get clean without
starting fresh. Some rootkit compromises do weird stuff like infect
every binary file you even 'ls'. One system I saw had been compromised
via an ssh vulerability (old ssh) and rootkit'ed... there was a very
good security guy doing the (remote) cleanup, and he ended up having to
install buisybox just so that he had a clean environment he could work
from. Dispite it being damn hard to clean up, it was just the work of a
script-kiddy because he left .bash_history files behind that showed
everything he did.

moral of the story; apply security updates ASAP...

Donovan Baarda                http://minkirri.apana.org.au/~abo/

Reply to: