[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: hacked



Hmm, don't just focus on the server, and don't do anything drastic to alert
that you're onto him/her!
Goto your permeter devices and turn on logging like mad (routers/firewall)
so you can codify events (assuming that he/she is coming from the outside).
Also, on the inside, pop in a sniffer on that subnet and capture everything
- if you can't read the traffic at least you can start homing-in on where
it's originating, and that might divulge what programs/services are been
hacked... START A CHAIN-of events!!!! Document everything you notice and
what you do/did but try not to change the system - if it goes to court
you'll need it. Wish I could offer more but I'm not a unix/linux expert
(yet). Please keep us informed to let us know the progress.


On 10/12/06, Manuel Arostegui Ramirez <manuel todo-linux com> wrote:

El Jueves, 12 de Octubre de 2006 14:11, mark escribió:
> Steve Buehler wrote:
> > Ok.  It looks like I have been hacked and they have put in a directory
> > in my webspace that is just a space.  In there, is 2 directories and 1
> > file:
> > -rwxr-xr-x  1 root root    0 Oct 12 00:01 php.php
> > drwxr-xr-x  2   48   48 4096 Oct 11 23:54 signin.ebay.com
> > drwxrwxrwx  2 root root 4096 Oct 11 23:54 www.paypal.com
> >
> > I can delete everything in the 2 directories, and edit/change the
> > php.php file to empty it out because it was a php script that allowed
> > someone to do anything on the server they wanted, but I can not for
the
> > life of me delete them.  I thought maybe they replaced the /bin/rm
file,
> > but it does not appear to be a hacked "rm".
>
> chkrootkit. Get it. Use it, now!
>
>       mark

rkhunter would do the trick too.

--
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list




--
/==========The One===========\
RacerX, MCP, MCPI, MCSE
Active member "170 MPH Club"
Microsoft Certified Systems Engineer/WebMaster/Web Developer
"...not all super heroes wear a cape...some ride a Suzuki GSX1300R..."


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]