While the earlier advice is probably the best advice, don't forget to run chkrootkit.
I recently had the same thing happen to one of my machines. I've found a kit in /dev/proc/fuckit The total nuking of /log makes this look like a very amature job. If they were hot they would edit the appropriate logs and retouch the dates ect leaving less blatant signs. I can't totally rule out a physical hack as it is an office machine, but it it was network I really want to know what in sarge can be so blatently abused. (nightly apt-get update && apt-get upgrade) David. On Tue, 22 Apr 2003, xbud wrote: > tar up your /proc/ directory > to save a copy of your kcore - it should have useful information unless he > managed to zero out all the memory that was being utilized during the break > in. > > turn the box off but make sure it don't delete crap, watch out for logic bombs > or what not. > > remove the disk and mount it on another box -o ro (read only) and do your > analysis there. > > > On Tuesday 22 April 2003 13:00, Christian Könning wrote: > > Hello List, > > > > I hope this is not of topic: > > > > My private server has been hacked: > > debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. > > > > now my problem: the intruder used a rootkit, i think, cause he deleted > > /var/log, symlinked /root/.bash_history > /dev/null, etc. > > Is there any way to recover the evidences, e.g. the /var/log/ directory? > > (ext2) > > > > and there three sh processes running as root? Ptrace exploit? > > how can i dump this processes to file, to keep this evidence? > > > > > > Thanks for help > > -- > ------------------------------ > Orlando Padilla > http://www.g0thead.com/xbud.asc > ------------------------------ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
