HELP, my Debian Server was hacked!

To: <debian-security@lists.debian.org>
Subject: HELP, my Debian Server was hacked!
From: Christian Könning <christian@koenning.org>
Date: Tue, 22 Apr 2003 21:00:11 +0200
Message-id: <[🔎] 003b01c30901$66713ba0$237cfea9@liquix>

Hello List,

I hope this is not of topic:

My private server has been hacked:
debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid.

now my problem: the intruder used a rootkit, i think, cause he deleted
/var/log, symlinked /root/.bash_history > /dev/null, etc.
Is there any way to recover the evidences, e.g. the /var/log/ directory?
(ext2)

and there three sh processes running as root? Ptrace exploit?
how can i dump this processes to file, to keep this evidence?


Thanks for help

--
Christian Koenning

Reply to:

Follow-Ups:
- Re: HELP, my Debian Server was hacked!
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: HELP, my Debian Server was hacked!
  - From: xbud <xbud@g0thead.com>
- Re: HELP, my Debian Server was hacked!
  - From: Dale Amon <amon@vnl.com>
- Re: HELP, my Debian Server was hacked!
  - From: Christiano Anderson <anderson@debian-rs.org>

Prev by Date: Re: Network stress testing
Next by Date: RE: grsec patch over debian 2.4.20 kernel
Previous by thread: Re: Network stress testing
Next by thread: Re: HELP, my Debian Server was hacked!
Index(es):
- Date
- Thread