hacked
Tenacious One
tenaciousone at gmail.com
Thu Oct 12 18:09:56 UTC 2006
Hmm, don't just focus on the server, and don't do anything drastic to alert
that you're onto him/her!
Goto your permeter devices and turn on logging like mad (routers/firewall)
so you can codify events (assuming that he/she is coming from the outside).
Also, on the inside, pop in a sniffer on that subnet and capture everything
- if you can't read the traffic at least you can start homing-in on where
it's originating, and that might divulge what programs/services are been
hacked... START A CHAIN-of events!!!! Document everything you notice and
what you do/did but try not to change the system - if it goes to court
you'll need it. Wish I could offer more but I'm not a unix/linux expert
(yet). Please keep us informed to let us know the progress.
On 10/12/06, Manuel Arostegui Ramirez <manuel at todo-linux.com> wrote:
>
> El Jueves, 12 de Octubre de 2006 14:11, mark escribió:
> > Steve Buehler wrote:
> > > Ok. It looks like I have been hacked and they have put in a directory
> > > in my webspace that is just a space. In there, is 2 directories and 1
> > > file:
> > > -rwxr-xr-x 1 root root 0 Oct 12 00:01 php.php
> > > drwxr-xr-x 2 48 48 4096 Oct 11 23:54 signin.ebay.com
> > > drwxrwxrwx 2 root root 4096 Oct 11 23:54 www.paypal.com
> > >
> > > I can delete everything in the 2 directories, and edit/change the
> > > php.php file to empty it out because it was a php script that allowed
> > > someone to do anything on the server they wanted, but I can not for
> the
> > > life of me delete them. I thought maybe they replaced the /bin/rm
> file,
> > > but it does not appear to be a hacked "rm".
> >
> > chkrootkit. Get it. Use it, now!
> >
> > mark
>
> rkhunter would do the trick too.
>
> --
> Manuel Arostegui Ramirez.
>
> Electronic Mail is not secure, may not be read every day, and should not
> be used for urgent or sensitive issues.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
/==========The One===========\
RacerX, MCP, MCPI, MCSE
Active member "170 MPH Club"
Microsoft Certified Systems Engineer/WebMaster/Web Developer
"...not all super heroes wear a cape...some ride a Suzuki GSX1300R..."
More information about the redhat-list
mailing list