On Monday 09 July 2007 22:14, rocky wrote: > Thank you very much for your help! Are you meaning someone has been > controlling our server?
Given that your server is attacking other servers, and assuming you yourself are not attacking those other servers, then someone else is running attack software on your server. Whether they have total control of your server is not something that you can determine while the server is still running. > If we are going to reinstall the server, we will need to use the backup > to restore the websites hosted on our server. Does the back up will make > the new installation of the server vulnerable? After the server is powered off and you have found someone knowledgable and trustworthy, that person will examine the server's hard drives using a secure system. He or she will neither boot the drives nor execute any program or script on them, for they are all compromised. He or she will only read the compromised drives. With luck he or she will be able to determine the vulnerability, and with luck he or she will be able to extract your data either from the hard drives or from the backups without reintroducing the malware. The server will then be wiped and reinstalled with different passwords and keys, the vulnerability will be fixed, and the backed up data minus any malware will be restored. Then the server can be put back online. You might want to think about which version of Debian was the server running, which Debian packages were installed, were all relevant security updates applied, was any non-Debian software installed, and were any weak passwords used? While you are waiting for the expert, you could save some time by using a different and secure system to start googling or otherwise checking for known security problems with the versions of the software that your server was running. PHP applications are often at fault, but there are many other possibilities. There are no easy solutions. Sorry. --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
