[Tfug] Server Compromise
Sean Warburton
hl2addict at gmail.com
Thu Sep 27 14:39:45 MST 2007
http://www.spywareinfo.com/~merijn/programs.php#hijackthis
I am pretty sure this is almost all Windows specific (I learned the hard
way, PC-PSD doesnt know what to do with executables. But there is a way to
convert them into tarballs, right?
also, if you can, look for startuplist. This program helps oodles in
Windowsland, because of all the end user crap they put on (did you know
Windows has to 'inventory' and load every single font you have every time
you load Windows?) I am not sure of it's effectiveness in a Linux-spawned
environment. Hope this helps, and good luck!
Sean
On 9/27/07, Chris Hill <ubergeek at ubergeek.tv> wrote:
>
> We're running ubuntu Dapper.
>
> I'll check that out! Haven't heard of that one. rkhunter and chkrootkit
> turn up nothing unusual. We back up the server to a NAS, but there is no
> hot-swappable unit in it. We'll have to take it down soon.
>
> C
>
> Sean Warburton wrote:
> > what OS is on your server? also, use HijackTHIS. That is my first line
> of
> > offense if I suspect foul play. Do you have those hot-swappable SATA
> drives?
> >
> >
> > On 9/27/07, Chris Hill <ubergeek at ubergeek.tv> wrote:
> >
> >> Hi all,
> >>
> >> I've got a major headache today, looking to see if someone might be
> able
> >> to help. We've got a server, its been compromised with a phishing scam.
> >> It looks like its very possibly has been rooted. I cannot fully turn
> off
> >> the box but we are pulling all non-essential services off the public
> >> net. If anyone can help me figure out how bad things are that would be
> >> really cool.
> >>
> >> I am working on the assumption we are rooted, mainly because the user
> >> has copied files as root to the box into /tmp and /var/www. I removed
> >> the /var/www files and he put them back and made it so that i cannot
> >> delete them( even as root ) . I'm also assuming that my ls, lsattr,
> >> chmod, chown, chattr, etc. files are hacked, which is why i cannot
> >> delete the /var/www files.
> >>
> >> If you're able to look at the box and see if you can help me delete
> >> these files and figure out what's going on, that'd be great!
> >>
> >> Thanks
> >> C
> >>
> >> _______________________________________________
> >> Tucson Free Unix Group - tfug at tfug.org
> >> Subscription Options:
> >> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> >>
> >>
> >
> >
> >
> >
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
--
FreeBSD v.1.4 (beta)
ASUS P5N32-SLI Premium
Intel Core 2 Duo 6600
dual eVGA 7900 GT OCs (full x16 SLI)
2 gigs DDR2 PC2-6400 (OCd to 866MHz)
250 gig RAID 1 (mirroring)
custom Liquid cooling :)
four 17" CRTs (uber widescreen)
7.1 surround sound (296 watts)
one happy gamer
More information about the tfug
mailing list