On Sun, 2003-06-29 at 06:00, Jason Lim wrote: > Hi all, > > Well... bad day for me. > > One of our servers was hacked (woody)... badly, from what I can see. A > whole bunch of binaries have been modified, and strange processes are > running on the server. The hack date appears to be jun 6. > > Is there a document somewhere, or procedure, to recover after this? This > is a working and running system, so somehow need to be able to recover > from this with minimal impact to end-users. > I know how you feel. I almost got compromised too on the same date funnily enough. They had a program running called bd which opened port 5000 which was luckily blocked by the iptables firewall which proabably helped. There were also some php scripts which gave access to the machine in the web root. The lesson that I learnt. *do not give www-data write access* even in the web root. I shoulda thought of this earlier but the setup kinda required it. I have now reworked the setup and it looks better. I used debsums to check that the binaries themselves are not compromised. I also have tiger, snort and logcheck installed to try and detect something like this. Although, neither snort nor logcheck detected anything and I installed tiger after the attack. Fingers crossed. Hope this helps, Shri -- ------------------------------------------------------------------------ Shri Shrikumar U R Byte Solutions Tel: 0845 644 4745 I.T. Consultant Edinburgh, Scotland Mob: 0773 980 3499 Web: www.urbyte.com Email: shri@urbyte.com
Attachment:
signature.asc
Description: This is a digitally signed message part