[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

Bamm Visscher bamm.visscher at gmail.com
Tue Aug 16 11:22:25 MDT 2005


This is the part where you say "Dang, I wish I'd been doing some
network security monitoring." ;)

How you proceed depends on how confident you are with host based
forensics. Doesn't sound like you are to comfortable with it, and thus
a rebuild may be in your future. Don't feel bad, even the best
forensic guys out there won't give you a "100% gaurantee" that your
system is clean after such a compromise.

Bammkkkk
 

On 8/16/05, Bill Thoen <bthoen at gisnet.com> wrote:
> Damme and Blast! I think you've put your finger on it! I am running RH 9
> and PHP and see that there's a new directory created on Jul 30 (when the
> odd process started) and here's what's in it:
> 
> [root at gisnet tmp]# ls -al
> total 12
> drwxrwxrwt    3 root     root         4096 Jul 30 23:03 .
> drwxr-xr-x   21 root     root         4096 Oct  6  2004 ..
> drwxr-xr-x    7 apache   apache       4096 Aug 10 23:11 ...
> 
> I'm sure that any file named "..." and owned by apache is bad news.
> 
> Now what do I do? I hope it isn't "rebuild from the ground up" time. Can I
> defuse this process some how?
> 
> 
> 

-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net



More information about the LUG mailing list