[Tfug] Server Compromise
Chris Hill
ubergeek at ubergeek.tv
Thu Sep 27 14:27:04 MST 2007
We're running ubuntu Dapper.
I'll check that out! Haven't heard of that one. rkhunter and chkrootkit
turn up nothing unusual. We back up the server to a NAS, but there is no
hot-swappable unit in it. We'll have to take it down soon.
C
Sean Warburton wrote:
> what OS is on your server? also, use HijackTHIS. That is my first line of
> offense if I suspect foul play. Do you have those hot-swappable SATA drives?
>
>
> On 9/27/07, Chris Hill <ubergeek at ubergeek.tv> wrote:
>
>> Hi all,
>>
>> I've got a major headache today, looking to see if someone might be able
>> to help. We've got a server, its been compromised with a phishing scam.
>> It looks like its very possibly has been rooted. I cannot fully turn off
>> the box but we are pulling all non-essential services off the public
>> net. If anyone can help me figure out how bad things are that would be
>> really cool.
>>
>> I am working on the assumption we are rooted, mainly because the user
>> has copied files as root to the box into /tmp and /var/www. I removed
>> the /var/www files and he put them back and made it so that i cannot
>> delete them( even as root ) . I'm also assuming that my ls, lsattr,
>> chmod, chown, chattr, etc. files are hacked, which is why i cannot
>> delete the /var/www files.
>>
>> If you're able to look at the box and see if you can help me delete
>> these files and figure out what's going on, that'd be great!
>>
>> Thanks
>> C
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>
>>
>
>
>
>
More information about the tfug
mailing list