On Sun, 2003-06-29 at 06:00, Jason Lim wrote:
> Hi all,
>
> Well... bad day for me.
>
> One of our servers was hacked (woody)... badly, from what I can see. A
> whole bunch of binaries have been modified, and strange processes are
> running on the server. The hack date appears to be jun 6.
>
> Is there a document somewhere, or procedure, to recover after this? This
> is a working and running system, so somehow need to be able to recover
> from this with minimal impact to end-users.
>
I know how you feel. I almost got compromised too on the same date
funnily enough. They had a program running called bd which opened port
5000 which was luckily blocked by the iptables firewall which proabably
helped.
There were also some php scripts which gave access to the machine in the
web root. The lesson that I learnt. *do not give www-data write access*
even in the web root. I shoulda thought of this earlier but the setup
kinda required it. I have now reworked the setup and it looks better.
I used debsums to check that the binaries themselves are not
compromised. I also have tiger, snort and logcheck installed to try and
detect something like this. Although, neither snort nor logcheck
detected anything and I installed tiger after the attack. Fingers
crossed.
Hope this helps,
Shri
--
------------------------------------------------------------------------
Shri Shrikumar U R Byte Solutions Tel: 0845 644 4745
I.T. Consultant Edinburgh, Scotland Mob: 0773 980 3499
Web: www.urbyte.com Email: shri@urbyte.com
Attachment:
signature.asc
Description: This is a digitally signed message part