my server was cracked; now what?

[Aaron Vegh]

Thanks for all the advice.

My first step was to eliminate two user accounts created by the
attacker, and I've been watching the server all day for any further
activity; there's been none. I did see the installation of an IRC bot
called psybnc; I don't really understand what that's about or why
people do that... anyone care to explain? It's gone now, anyway.

My server is a dedicated machine with only shell access, so taking it
offline isn't an option. I've written to the hoster's tech support,
and they came back with:

"the only thing i was able to find on the system was a udp flood
running out of /tmp i have removed permissions from this folder so it
wont be able to run anymore. since youve already changed the password
the only other thing i would recommend is go over the users on your
system and make sure noone has created any new users allowing them to
login with shell access to install more  of their scipts and such at
this time i show nothing running on the server that shouldnt be."

Interesting. I'm asking them for a quote to re-image the drive, which
I'll pursue as soon as possible.

Cheers,
Aaron.

On 7/17/06, James Knott <james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org> wrote:
> Aaron Vegh wrote:
> > been rooted? I feel violated, but the server is also running important
> > parts of my business, so I have to keep it going.
>
> Since you have no way of knowing what they left behind, you should
> reinstall the server and also run something like trip wire.
>
>
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml