my server was cracked; now what?

Justin Weissig jweissig-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Mon Jul 17 21:41:13 UTC 2006


Hey,

Honestly, I would (1), remove the system from the network immediately
especially if you have any critical / confidential information hosted
on it.

Given that the user was actually logged into the system and running
commands that you could see via bash_history (newbie does not hide his
tracks) is especially disturbing! Most of the time a simple bot will
gain access but not root your machine. Who knows what a person would
do! A bot typical just puts a couple files around an connects to IRC.

Reasoning is simple; the intruder could come back for something else
or delete anything at will. A rebuild is REQUIRED!

(2) Backup everything and re-install the system. Run all the updates
(look for php scripts that have holes! phpbb, etc other that services
that are old this is how people get in) and disable any non-critical
services. Lock down permissions. Make mysql only listen on localhost
if your only connecting locally.

(3) Restore the data to the machine.

(4) Watch it. The intruder will likely be back and try his old accounts.

Now obviously this is in a perfect world where you don't have people
accessing this machine 24/7. Maybe you have a second machine that you
can prepare and methodically migrate your required services too. If
you want more advice feel free to contact me.

- Justin


On 7/17/06, Aaron Vegh <aaronvegh-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Hi there,
> I discovered this afternoon that my server was rooted. I don't think
> they were in there very long, but after noticing some of my services
> down, I went in and through the .bash_history file, saw some commands
> that were not issued by me. I changed the password on the root
> account, rebooted the box and made sure all services were running.
> Other than seeing some passwords missing in my mysql database I don't
> know what else was done.
>
> Does anyone have any guidance for what to do with a machine after it's
> been rooted? I feel violated, but the server is also running important
> parts of my business, so I have to keep it going. I'd also love to
> know how they got in...
>
> Thanks,
> Aaron.
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list