my server was cracked; now what?

Vlad shiwan-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Jul 18 03:17:51 UTC 2006 

        First, psybnc is NOT an IRC bot; it's a bouncer. It just lets
you "bounce" your IRC connection through it, to make it look like
you're connected from that host.

        Second, people do that for various reasons, most of them being
fairly infantile, or malicious. There's too much to say, really, but
most can be summed up by telling them to grow the hell up already.

        Third... wait. Did they change the perms on /tmp, thereby
breaking more things than can be imagined?

        Sigh.


        --Vlad

On 7/17/06, Aaron Vegh <aaronvegh-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Thanks for all the advice.
>
> My first step was to eliminate two user accounts created by the
> attacker, and I've been watching the server all day for any further
> activity; there's been none. I did see the installation of an IRC bot
> called psybnc; I don't really understand what that's about or why
> people do that... anyone care to explain? It's gone now, anyway.
>
> My server is a dedicated machine with only shell access, so taking it
> offline isn't an option. I've written to the hoster's tech support,
> and they came back with:
>
> "the only thing i was able to find on the system was a udp flood
> running out of /tmp i have removed permissions from this folder so it
> wont be able to run anymore. since youve already changed the password
> the only other thing i would recommend is go over the users on your
> system and make sure noone has created any new users allowing them to
> login with shell access to install more  of their scipts and such at
> this time i show nothing running on the server that shouldnt be."
>
> Interesting. I'm asking them for a quote to re-image the drive, which
> I'll pursue as soon as possible.
>
> Cheers,
> Aaron.
>
> On 7/17/06, James Knott <james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org> wrote:
> > Aaron Vegh wrote:
> > > been rooted? I feel violated, but the server is also running important
> > > parts of my business, so I have to keep it going.
> >
> > Since you have no way of knowing what they left behind, you should
> > reinstall the server and also run something like trip wire.
> >
> >
> > --
> > The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> > TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> > How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
> >
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>


-- 
end
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list