On Monday 07 Dec 2009, Shrinivasan T wrote: > Hi, > > I feel that one of my server is hacked. > > "last" says that > saravana pts/2 78.96.162.69 Thu Dec 3 03:22 - 03:23 > (00:00)
Looks like somebody guessed your password. > > geoip sites said that. > IP Address: 78.96.162.69 > Country: Romania romania > Country code: RO (ROU) > Region: Vrancea > City: Focsani Somebody local with access to a machine in RO could have come in and cracked your system and make it appear that the attacker is physically from RO. > > All histories before dec 3 were cleared. Smart guy. > how to find that weather my server is hacked? For RPM based distro you can verify the integrity of your files with --verify option; assuming the cracker has not messed with your rpm data base. I don't know the Debian equivalent. > wondering that the cracker could done in a single minute. Plenty depending on his/her admin skill, most likely the cracker ran a script do to all the dirty work for him/her. > need help on hardening the server. You may luck out with the cracker just wanting to break in and if your file integrity checks out in your favor. Rather than spinning your wheel figuring out what is b0rked; a fresh install would save you time. After a fresh install create a `ro' signature db of your files (aide/tripwire) and keep a copy in a separate location. aide/tripwires can be configured to check integrity of the installed files v/s in the signature db. > > Server is in a remote place. > I have only ssh access. > > how to find that what was happened to my server on dec 3 ? Suggest you contact a computer forensic consultant if there is valuable data on the system and/or want to report the crime. HTH -- Arun Khan _______________________________________________ To unsubscribe, email ilugc-requ...@ae.iitm.ac.in with "unsubscribe <password> <address>" in the subject or body of the message. http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
