my server was cracked; now what?
Jamon Camisso
jamon.camisso-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Tue Jul 18 04:08:17 UTC 2006
Aaron Vegh wrote:
> Thanks for all the advice.
>
> My first step was to eliminate two user accounts created by the
> attacker, and I've been watching the server all day for any further
> activity; there's been none. I did see the installation of an IRC bot
> called psybnc; I don't really understand what that's about or why
> people do that... anyone care to explain? It's gone now, anyway.
>
> My server is a dedicated machine with only shell access, so taking it
> offline isn't an option. I've written to the hoster's tech support,
> and they came back with:
>
> "the only thing i was able to find on the system was a udp flood
> running out of /tmp i have removed permissions from this folder so it
> wont be able to run anymore. since youve already changed the password
> the only other thing i would recommend is go over the users on your
> system and make sure noone has created any new users allowing them to
> login with shell access to install more of their scipts and such at
> this time i show nothing running on the server that shouldnt be."
Have you considered that your root account may well be compromised? What
about your mysql user account as you mentioned?
Jamon
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list