Okay... so supposing the whole system needs to be installed, we can make a backup of the home directory now... but after we restore everything, what is to stop the hacker immediately re-gaining access again?
The server is a fully updated "stable" debian system. In fact, it was updated just yesterday. I'm thinking that even if we do all the trouble of a complete re-installation of the entire system, it won't fix this as it will get re-hacked again, especailly since we can't see what is going on anymore. What do you think? :-( This really, really sucks. ----- Original Message ----- From: "Dena Whitebirch" <[EMAIL PROTECTED]> To: "Jason Lim" <[EMAIL PROTECTED]> Sent: Sunday, 29 June, 2003 2:16 PM Subject: Re: Server hacked - next...? > > Hi Jason, > > My condolences! We've been cracked twice, both times on RH boxes, (in 10 > years...so it's really not so bad) so we've got a bit of a system for > cleaning up. I applaud you for wanting to clean up correctly. I've > seen/heard too many horror stories out there where a user on someone > else's system writes to me and shows me their cracked site and their > host makes no apparent efforts to secure the box correctly. > > I'd like to offer any assistance I could give you. This is the time of > year it always happened to us. School's out and people get bored ;) > > The first thing you can assume is the cracker probably has all the > usernames and passwords on your system. You can also suspect that your > logs and everything else on your system *may not be* telling you the > truth any longer. > > The liklihood that you'll need to rebuild from scratch is high. It will > probably, however be possible to maintain some/many user services while > you do this after securing the box. The first step to this is normally > to lock all users out by changing their passwords until they all change > them. > > You'll next want to consider the cracker's motives...there are a few types > of crackers. If you can figure that out it will help you decide what they > may have done and the extent of the damage. Sometimes they truly want to > harm you, and sometimes they want to plant things on your server so they > can play with people on IRC, etc. > > sans.org has a pretty good section on cleanup if I remember correctly. > > Let me know what else I can do to help. (And don't berate yourself too > badly if you're tempted to do so! Most any server can be cracked.) You > may never know for sure how you got cracked as there are so many ways. > Any system with users, usernames/passwords, clients uploading insecure > scripts, etc. will always be somewhat vulnerable. > > -Dena > > -=Dena Whitebirch=- > @quasar Internet Solutions, Inc. > "Internet Powered by Experience" > -------------------------------------------- > Register .MART domains and more @quasar! > http://quasar.net/ > > On Sun, 29 Jun 2003, Jason Lim wrote: > > > Hi all, > > > > Well... bad day for me. > > > > One of our servers was hacked (woody)... badly, from what I can see. A > > whole bunch of binaries have been modified, and strange processes are > > running on the server. The hack date appears to be jun 6. > > > > Is there a document somewhere, or procedure, to recover after this? This > > is a working and running system, so somehow need to be able to recover > > from this with minimal impact to end-users. > > > > Some things like: > > > > www-data 17451 0.0 0.0 2164 928 ? S 02:31 0:00 /bin/sh > > www-data 21550 0.0 0.0 1232 236 ? S 05:02 0:00 ./x > > www-data 21551 0.0 0.0 0 0 ? Z 05:02 0:00 [x > > <defunct>] > > root 21552 0.0 0.0 0 0 ? Z 05:02 0:00 [modprobe > > <defunc > > root 21554 0.0 0.0 2148 912 ? S 05:02 0:00 /bin/sh > > root 21755 0.0 0.0 2164 948 ? S 05:02 0:00 /bin/sh > > root 21801 0.0 0.0 2180 964 ? S 05:03 0:00 /bin/bash > > ./troja > > root 22010 0.0 0.0 1244 204 ? S 05:03 0:00 ./siz > > ifconfigx / > > root 12267 0.0 0.0 0 0 ? Z 07:15 0:00 [date > > <defunct>] > > root 12266 0.0 0.0 1264 252 ? T 07:15 0:00 date +%d > > > > Anyone seen anything like this? Could this be the kernel hack ppl were > > talking about affecting 2.4.17? > > > > Guess you guys would know a lot about this stuff... > > > > Any help and suggestions greatly appreciated. > > > > Sincerely, > > Jas > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > >
