Re: we were attacked
On Tuesday 11 April 2006 09:16, danilo lujambio wrote:
> thanks for all of the answers. I am not a sysadmin, only a person with
> experience in linux and we work in a non for profit organization ,
> because of that, we don't have resources to pay a good sys admin :-) .
> All the mails for you , tought me something.
> Today finally we are in serious problem. The sintom was that web server
> answer with 403 forbidden and we couldn't login with ssh . After an hour
> of working we found that log of sshd told login_get_lastlog couldn't
> find user id ..... . Now I just found that we have a / directory
> changed to mode 700 and tmp directory to 1700
Reinstall time would be the safest choice here if your not that skilled. Even
a skilled admin will generally opt to reinstall the box at this point after
duplicating the drive or replacing it so they can analyze it later. Good luck