On Tue, Apr 22, 2003 at 09:00:11PM +0200, Christian Könning wrote: > Hello List, > > I hope this is not of topic: > > My private server has been hacked: > debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. Ouch. Was it up-to-date to security patches? > > now my problem: the intruder used a rootkit, i think, cause he deleted > /var/log, symlinked /root/.bash_history > /dev/null, etc. > Is there any way to recover the evidences, e.g. the /var/log/ directory? > (ext2) Use e2undel (but you should mount read-only) > > and there three sh processes running as root? Ptrace exploit? > how can i dump this processes to file, to keep this evidence? > Go to /proc/# (with # being the process number of these) you will find all the information on running processes there (environment, commandline, filedescriptor, the executable...) You probably need a crash course on forensics in UNIX (me too :-), maybe this helps: http://staff.washington.edu/dittrich/talks/blackhat/blackhat/forensics.html and http://www.dpo.uab.edu/~kalyan/incidentchecklist.html Plenty of reading also at http://www.sans.org/rr/incident/, if you are interested. But I believe you want to get over this as fast as possible, consider using 'tct' (The Coroner Toolkit, packaged for Debian) . Hope that helps Javi
Attachment:
pgpYq4uqL1Ako.pgp
Description: PGP signature