Re: a compromised machine
Reinstall seems the option left...with the added security features discussed
previously, monitoring the server closely after new installation. I would
do the new installation in a new hard disk, saving and afterwards,
installing the seemingly compromised hard disk, for a forensic analysis in
a machine not connected to any network.
> i checked crontabs and i haven't found anything. but new processess
> started
>
> www-data 6705 0.0 0.1 1616 600 ? S 21:31 0:00
> /tmp/dlciiqlno x
> www-data 6762 0.0 0.0 0 0 ? Z 22:10 0:00 [sh]
> <defunct>
> www-data 6770 0.0 0.1 1624 608 ? S 22:10 0:00 [bdflu
>
> and new connections were opened
>
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 193.77.81.144:33276 210.169.91.66:5454
> ESTABLISHED
> tcp 0 0 193.77.81.144:33281 193.201.53.88:6667
> ESTABLISHED
>
> Once again, /tmp/dcliiqlno doesn't exist... where is this exec file,
> because i would really like to know what exactly it does.. and what is
> bdflu?
>
> I still haven't managed to find out how exactly this happened. And
> probably reinstall will be needed? What do you think?
>
> Thanks..
>
> Ulf Harnhammar wrote:
>
>>On Sun, Jul 24, 2005 at 07:40:21PM +0200, Nejc Novak wrote:
>>
>>
>>>that means, that the process was started at 17:31 today. So i checked
>>>
>>>
>>
>>
>>
>>>I killed the process and webserver and at 19:31 the process again
>>>started with the same lines in syslog.
>>>
>>>
>>
>>Check your crontabs (in various locations) and atq. It sounds as if the
>>attackers have added something there.
>>
>>// Ulf
>>
>>
>>
>>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
--
-JM. ?Estos días azules y este sol de la infancia ?(Antonio Machado-1939)
Reply to: