[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

On Sun, 2003-06-29 at 06:00, Jason Lim wrote:
> Hi all,
> Well... bad day for me.
> One of our servers was hacked (woody)... badly, from what I can see. A
> whole bunch of binaries have been modified, and strange processes are
> running on the server. The hack date appears to be jun 6.
> Is there a document somewhere, or procedure, to recover after this? This
> is a working and running system, so somehow need to be able to recover
> from this with minimal impact to end-users.

I know how you feel. I almost got compromised too on the same date
funnily enough. They had a program running called bd which opened port
5000 which was luckily blocked by the iptables firewall which proabably

There were also some php scripts which gave access to the machine in the
web root. The lesson that I learnt. *do not give www-data write access*
even in the web root. I shoulda thought of this earlier but the setup
kinda required it. I have now reworked the setup and it looks better.

I used debsums to check that the binaries themselves are not
compromised. I also have tiger, snort and logcheck installed to try and
detect something like this. Although, neither snort nor logcheck
detected anything and I installed tiger after the attack. Fingers

Hope this helps,


Shri Shrikumar       U R Byte Solutions           Tel:   0845 644 4745
I.T. Consultant	     Edinburgh, Scotland          Mob:   0773 980 3499
                     Web: www.urbyte.com          Email: shri@urbyte.com

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: