Re: Am I Compromised -- Some interesting findings

To: debian-isp@lists.debian.org
Subject: Re: Am I Compromised -- Some interesting findings
From: alex <alex@co.com.mx>
Date: Fri, 25 Nov 2005 11:02:53 -0600
Message-id: <[🔎] 438743BD.3080203@co.com.mx>
In-reply-to: <[🔎] dm7eu1$rj6$1@sea.gmane.org>
References: <[🔎] dm7eu1$rj6$1@sea.gmane.org>

Sorry, this i sent to you directly. Im resending it to the list.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ritesh Raj Sarraf wrote:

>
> The logs show that the guy uploaded the files to /tmp and hid them.
>
>
> In my first mail, the logs showed a lot of "sh" defunct processes
> executed from within apache. Is this an attempt to gain the shell
> through the web server ?
>
> Please suggest me what more should I look for and how to tackle
> this attack.

This is a very good analysis and you did a good job at it. But there
is no future for your server. Right now what you need to do is kill
it, boot with a boot disk, save all data and configs not without
checking exactly what youre saving, find out how where you cracked (go
forensic on your server), reinstall it in a box with a better security
setup (since the one youre talking about was obviously vulnerable)...

>
> Regards,
>
> rrs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDh0KRHRtXdlKYy3ERAg4cAJ9wgJf0Aj/oobwMiiBV55XLBvwhegCfRN8a
OTTzqbsv0axeF+fmvdbKt2Y=
=8fvQ
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Am I Compromised -- Some interesting findings
  - From: Ritesh Raj Sarraf <rrs@researchut.com>

References:
- Am I Compromised -- Some interesting findings
  - From: Ritesh Raj Sarraf <rrs@researchut.com>

Prev by Date: Re: Am I compromised
Next by Date: Re: Am I Compromised -- Some interesting findings
Previous by thread: Re: Am I Compromised -- Some interesting findings
Next by thread: Re: Am I Compromised -- Some interesting findings
Index(es):
- Date
- Thread