Re: Server hacked - next...?
On Sun, 2003-06-29 at 17:15, Jason Lim wrote:
> Okay... so supposing the whole system needs to be installed, we can make a
> backup of the home directory now... but after we restore everything, what
> is to stop the hacker immediately re-gaining access again?
>
> The server is a fully updated "stable" debian system. In fact, it was
> updated just yesterday.
>
> I'm thinking that even if we do all the trouble of a complete
> re-installation of the entire system, it won't fix this as it will get
> re-hacked again, especailly since we can't see what is going on anymore.
>
> What do you think? :-(
I think you need to find out how they got in. look around for
.bash_history files to see what's in them (particularly in /root, but
with some compromises they get in with other directories as "HOME", so
they can be other places, like /).
Once you get compromised, it's pretty darn hard to get clean without
starting fresh. Some rootkit compromises do weird stuff like infect
every binary file you even 'ls'. One system I saw had been compromised
via an ssh vulerability (old ssh) and rootkit'ed... there was a very
good security guy doing the (remote) cleanup, and he ended up having to
install buisybox just so that he had a clean environment he could work
from. Dispite it being damn hard to clean up, it was just the work of a
script-kiddy because he left .bash_history files behind that showed
everything he did.
moral of the story; apply security updates ASAP...
--
----------------------------------------------------------------
Donovan Baarda http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------
Reply to: