Hi all, Well... bad day for me.
One of our servers was hacked (woody)... badly, from what I can see. A whole bunch of binaries have been modified, and strange processes are running on the server. The hack date appears to be jun 6. Is there a document somewhere, or procedure, to recover after this? This is a working and running system, so somehow need to be able to recover from this with minimal impact to end-users. Some things like: www-data 17451 0.0 0.0 2164 928 ? S 02:31 0:00 /bin/sh www-data 21550 0.0 0.0 1232 236 ? S 05:02 0:00 ./x www-data 21551 0.0 0.0 0 0 ? Z 05:02 0:00 [x <defunct>] root 21552 0.0 0.0 0 0 ? Z 05:02 0:00 [modprobe <defunc root 21554 0.0 0.0 2148 912 ? S 05:02 0:00 /bin/sh root 21755 0.0 0.0 2164 948 ? S 05:02 0:00 /bin/sh root 21801 0.0 0.0 2180 964 ? S 05:03 0:00 /bin/bash ./troja root 22010 0.0 0.0 1244 204 ? S 05:03 0:00 ./siz ifconfigx / root 12267 0.0 0.0 0 0 ? Z 07:15 0:00 [date <defunct>] root 12266 0.0 0.0 1264 252 ? T 07:15 0:00 date +%d Anyone seen anything like this? Could this be the kernel hack ppl were talking about affecting 2.4.17? Guess you guys would know a lot about this stuff... Any help and suggestions greatly appreciated. Sincerely, Jas
