Hello List, I hope this is not of topic:
My private server has been hacked: debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. now my problem: the intruder used a rootkit, i think, cause he deleted /var/log, symlinked /root/.bash_history > /dev/null, etc. Is there any way to recover the evidences, e.g. the /var/log/ directory? (ext2) and there three sh processes running as root? Ptrace exploit? how can i dump this processes to file, to keep this evidence? Thanks for help -- Christian Koenning
