RE: Am I compromised

To: <debian-isp@lists.debian.org>
Subject: RE: Am I compromised
From: "Tim Warnock" <timoid@getonit.net.au>
Date: Sat, 26 Nov 2005 03:23:58 +1000
Message-id: <[🔎] C67FBCB411B4024382B11B96D68E49E4079570@server.local.GetOffice>

> Can anyone help me if my system is compromised or is it a 
> system related
> issue ? What steps should I follow to get my webserver usable 
> again ? It's
> a machine under production usage.
> 

If you have trouble killing the processes, try killall -3 httpd. (If
that doesn't work, just keep incrementing the signal number until it
dies.)

A lot of the hack processes don't respond to -9 or -15 as they trap
them.

I had a box that was compromised because of a not-up-to-date phpBB
install. In my case they wiped /tmp, and I have cron jobs that check to
see whether files go missing in /tmp and notify me so I knew pretty much
straight away. Was quite interesting, as I saw the guy who was
controlling it was on an irc server, so I sat in the room and watched
what he was doing. After he'd done his thing (and banned me for abusing
him ;), I archived then wiped the box and restored from the night
before's backup. Working out how he came in via the logs, I updated
phpbb. All he wanted my box for was ssh hacking remotely. There were
about 40-50 bots sitting in the channel, and he was assigning them ip
ranges to try to break into.

Thanks
Tim Warnock

ISP Technical Manager
GetOnIt! Nationwide Internet.
1300 88 00 97
timoid (at) getonit.net.au

Reply to:

Prev by Date: Re: Am I Compromised -- Some interesting findings
Next by Date: Re: Am I Compromised -- Some interesting findings
Previous by thread: Re: Am I compromised
Next by thread: Am I Compromised -- Some interesting findings
Index(es):
- Date
- Thread