[Tfug] Server Compromise

Sean Warburton hl2addict at gmail.com
Thu Sep 27 14:18:27 MST 2007


what OS is on your server? also, use HijackTHIS. That is my first line of
offense if I suspect foul play. Do you have those hot-swappable SATA drives?


On 9/27/07, Chris Hill <ubergeek at ubergeek.tv> wrote:
>
> Hi all,
>
> I've got a major headache today, looking to see if someone might be able
> to help. We've got a server, its been compromised with a phishing scam.
> It looks like its very possibly has been rooted. I cannot fully turn off
> the box but we are pulling all non-essential services off the public
> net. If anyone can help me figure out how bad things are that would be
> really cool.
>
> I am working on the assumption we are rooted, mainly because the user
> has copied files as root to the box into /tmp and /var/www. I removed
> the /var/www files and he put them back and made it so that i cannot
> delete them( even as root ) . I'm also assuming that my ls, lsattr,
> chmod, chown, chattr, etc. files are hacked, which is why i cannot
> delete the /var/www files.
>
> If you're able to look at the box and see if you can help me delete
> these files and figure out what's going on, that'd be great!
>
> Thanks
> C
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>



-- 
FreeBSD v.1.4 (beta)
ASUS P5N32-SLI Premium
Intel Core 2 Duo 6600
dual eVGA 7900 GT OCs (full x16 SLI)
2 gigs DDR2 PC2-6400 (OCd to 866MHz)
250 gig RAID 1 (mirroring)
custom Liquid cooling :)
four 17" CRTs (uber widescreen)
7.1 surround sound (296 watts)
one happy gamer



More information about the tfug mailing list