On Sun, Jun 29, 2003 at 03:15:05PM +0800, Jason Lim wrote: > Okay... so supposing the whole system needs to be installed, we can make a > backup of the home directory now... but after we restore everything, what > is to stop the hacker immediately re-gaining access again? > > The server is a fully updated "stable" debian system. In fact, it was > updated just yesterday. > > I'm thinking that even if we do all the trouble of a complete > re-installation of the entire system, it won't fix this as it will get > re-hacked again, especailly since we can't see what is going on anymore. > > What do you think? :-( > > This really, really sucks. >
As Russell Coker points out, the attaccer probably got in trough apache and a vulnerable CGI script. When you reinstall, be sure you dont run any insecure CGI's. There is probably a bunch of other improvements jou can do. Mount /tmp with noexec Run a hardened kernel like NSA or Grsecurity. etc. -- Frode Haugsgjerd Norway
