[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: hacked

Hmm, don't just focus on the server, and don't do anything drastic to alert
that you're onto him/her!
Goto your permeter devices and turn on logging like mad (routers/firewall)
so you can codify events (assuming that he/she is coming from the outside).
Also, on the inside, pop in a sniffer on that subnet and capture everything
- if you can't read the traffic at least you can start homing-in on where
it's originating, and that might divulge what programs/services are been
hacked... START A CHAIN-of events!!!! Document everything you notice and
what you do/did but try not to change the system - if it goes to court
you'll need it. Wish I could offer more but I'm not a unix/linux expert
(yet). Please keep us informed to let us know the progress.

On 10/12/06, Manuel Arostegui Ramirez <manuel todo-linux com> wrote:

El Jueves, 12 de Octubre de 2006 14:11, mark escribió:
> Steve Buehler wrote:
> > Ok.  It looks like I have been hacked and they have put in a directory
> > in my webspace that is just a space.  In there, is 2 directories and 1
> > file:
> > -rwxr-xr-x  1 root root    0 Oct 12 00:01 php.php
> > drwxr-xr-x  2   48   48 4096 Oct 11 23:54 signin.ebay.com
> > drwxrwxrwx  2 root root 4096 Oct 11 23:54 www.paypal.com
> >
> > I can delete everything in the 2 directories, and edit/change the
> > php.php file to empty it out because it was a php script that allowed
> > someone to do anything on the server they wanted, but I can not for
> > life of me delete them.  I thought maybe they replaced the /bin/rm
> > but it does not appear to be a hacked "rm".
> chkrootkit. Get it. Use it, now!
>       mark

rkhunter would do the trick too.

Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe

/==========The One===========\
Active member "170 MPH Club"
Microsoft Certified Systems Engineer/WebMaster/Web Developer
"...not all super heroes wear a cape...some ride a Suzuki GSX1300R..."

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]