Re: we were attacked
Hi Danilo,
How did you discover the attack? What signs gave away the problem?
How did you deal with it when you discovered it? Have you taken the machine
off the network? did you erase the disk? have you removed the disk from
the original machine, and put it in safe storage somewhere?
Looking for the source of the attack...
A: Your firewall logs - do they show anything?
B: dpkg -l - what is installed on the machine?
: has there been any security warnings about these services?
C: ps auxwww - What services are running?
D: Do your apache log files show anything?
E: Who has access to the machine?
: Is maybe one of the passwords compromised?
F: last - what does it have to say about a break in?
G: chkrootkit - not that I have ever had it tell me anything useful....
H: what do the scripts do?
I: less /tmp/<executable> - does it say anything exciting?
J: netstat -anp - what does it have to say about life....
K: What services are you MENT to be running on your box?
L: Does your web server deliver dynamic content? or only static html files?
M: Have you enabled webdav on your web server?
N: ftp server logs?
O: Is the server trying to send out traffic?
: If so - where?
P: Is it receiving traffic from somewhere - if so - where?
: logging this on your firewall should be relatively easy...
...
As you can see - the list goes on....
If this server is important to you, I would seriously consider getting
someone in to help you have a look at it - effectively using this incident
as a training opportunity....
And you get to write lots of documentation for your company... :-)
Best of luck....
Hopefully this has been a little bit of help in the directions you need to
look...
Actually finding the 'person' responsible however may be very difficult,
especially if it was a WORM or BOT that found your server, and caused the
break in....
Regards
Andrew
Reply to: