Re: we were attacked

To: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Mark-Walter@t-online.de (Mark Walter)
Date: Fri, 23 Jun 2006 11:24:46 +0200
Message-id: <[🔎] 20060623092446.GC2686@server.homelinux.net>
In-reply-to: <1144435612.18796.1.camel@localhost>
References: <44367C04.6030609@tau.org.ar> <1144435612.18796.1.camel@localhost>

Hi @ll,

> > in one of our servers with Sarge we are suffering an attack wich put a 
> > perl script and two executables in /tmp with owner www-data.
> > We couldn't find any data in messages , syslog, apache.log which help 
> > us. We have a shorewall with very few ports open (ssh , ftp and web) .
> > Can someone help us in how to looking for the source of the attack ?
> 
> Perhaps you should give rkhunter
> (http://www.rootkit.nl/projects/rootkit_hunter.html) a try and check
> if you "only" got a false positive!!
> I got this on a old RedHat, too!

There's even a debian package out of it for chkrootkit.

With rkhunter and chkrootkit you can find out if a root exploit is in
progress.

If it's the case get the server of the line and after you found nothing
reinstall the backups!

Additionally you can give my project the next time a try for a audit:

http://www.linux-development.org/deadzone

$ forensic_incident_analysation 

is the name of the appropriate project for you.

And additionally I have to agree you should give mod-security a try.

http://www.hardened-php.net/

Is also a good project to cover web forensic server security.

Good Luck!

-- 
Freedom for Tibet!
Best Regards,

Mark

Reply to:

Follow-Ups:
- Re: we were attacked
  - From: Joe Emenaker <joe@emenaker.com>

Prev by Date: Re: Modify the route table with C
Next by Date: Re: we were attacked
Previous by thread: Re: Modify the route table with C
Next by thread: Re: we were attacked
Index(es):
- Date
- Thread